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ABSTRACT 

This   essay   presents   the   results   of   a   study  which 

surveyed  the  various  aspects  of   system   security   hardware, 

software,   and   procedural   techniques  in  use  in  current  and 

proposed  automated  systems.   Its  impetus  is  from  the  ccncern 

for    security   control   that   has   been   generated   by   the 

increasing   number   of   time-sharing   and    resource-sharing 

systems.     The   intention   is   to   present   the   designers, 

managers,  programmers,  system  implementers,  and   operational 

personnel   with   a   consolidated   source   of  data  concerning 

security  techniques  and  with  a  tool  to  evaluate  the  data  and 

select    the    techniques   applicable   to   their   respective 

security  requirements. 
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I. 


INTRODUCTION 


The  basic  security  requirement  in  any  system  is  to 
prevent  unauthorized  access  or  change  of  data  while  allowing 
authorized  use  necessary  to  accomplish  the  system's  mission. 
Manual  systems  require  the  protection  of  data  only. 
Automated  systems  introduce  the  added  problem  of  protecting 
the  process,  both  programs  and  hardware,  that  are  used  to 
store,  access  and  change  the  data.  This  implies  the 
necessity  of  adequate  safeguards  built  into  management,  and 
hardware/software  aspects  of  the  system.  Thus  a  decision 
must  be  made  as  to  w h at is_ needed  in  the  way  of  security. 
The  processing  and  storing  of  sensitive  information  and 
preventing  it  from  falling  into  the  wrong  hands  is  a 
technological  problem  requiring  a  comprehensive  examination 
of  both  the  type  of  information  and  the  possible/prcbable 
threats  that  a  data  bank  will  be  required  to  handle. 

The  objective  of  the  current  effort  is  to  (1)  review 
current  and  completed  studies  of  the  security  and  access 
limitation  problem  for  automated  systems;  (2)  analyze  the 
data  collected  considering  the  differences  in  techniques  as 
required  by  systems  and  users;  (3)  discuss  techniques  for 
data  base  security  and  access  control  applicable  to  a  qiven 
system. 


II-    Mill  RE  OF  THE  PROBLEM 

A  close  examination  of  security  requirements  indicates 
that  they  are  dependent  on  the  specific  type  of  threat  posed 
to  the  system.  There  are  three  general  classes  of  threats: 
unintentional,  deliberate  passive,  and  deliberate  active. 

Unintentional  threats  are  those  that  arise  from  hardware 
and  software  failures  and  user  errors  which  allow 
unauthorized  but  inadvertant  access  to  files  or  programs. 

Deliberate  passive  threats  are  caused  by  electromagnetic 
radiation  from  the  computer  hardware  and  communications 
eguipment.  Passive  methods  include  wire-tapping  and 
monitoring  of  electromagnetic  emanations. 

Deliberate  active  threats  are  from  attempts  to  enter  the 
system  so  as  to  obtain  data  from  the  files  or  to  interfere 
with  data  files  or  the  system.  Examples  of  this  type  of 
threat  are  (1)  using  legitimate  access  to  ask  or  obtain 
unauthorized  access  (browsing),  (2)  masguerading  as  a 
legitimate  user,  (3)  using  access  to  the  system  as  support 
personnel  (systems  programmers,  operator,  hardware 
maintenance,  management)  to  obtain  data  or  create  trap  doors 
into  the  system,  (4)  tapping  into  remote  terminals  to 
receive  "piggy  back"  entry  with  an  authorized  user,  (5) 
between  lines  entry,  and  (6)  cancellation  of  user's  sign  off 
signals  to  continue  operation. 

These  threats  are  nearly  the  same  for  all  systems, 
differing  primarily  in  the  degree  which  system  design 
features  allow  exploitation.  This  potential  for 
exploitation  is  created  at  each  point  where  a  user  interacts 
with  the  system.  Since  the  security  requirements  depend  on 
the  threat  of  exploitation  and  the  threat  of  exploitation  in 
turn  depends  on  the  particular  system  access  point,  the  key 
to  specifying  the  security  requirements  for  a  system  lies  in 
an  examination  of  the  systems  accessibility. 


III.    SECURITY  REQUIREMENTS  COMMON  TO  ALL  SYSTEMS 

The  overall  safeguarding  of  information  in  a  computer 
system,  regardless  of  configuration,  is  achieved  by  a 
com fci nation  cf  protection  features  aimed  at  the  different 
areas  of  leakage  points.  These  areas  are  discussed  and  an 
overview  of  the  vulnerability  points  are  depicted  in  fig   1. 

A.   MAINTENANCE  AND  SUPPORT  ACCESS 

All  systems  have  the  requirement  to  allow  access  for 
maintenance  of  the  system  software  and  hardware.  This 
"support  access"  must  be  provided  for  the  system 
programmers,  maintenance  personnel,  computer  operators,  and 
management  personnel  responsible  for  the  system  operation. 
It  represents  a  potential  means  of  deliberate  active 
penetration  and  has  been  addressed  in  the  literature  on 
non-military  systems  as  the  area  of  most  ccncern. 
Non-military  systems  lack  the  procedural  security 
regulations  established  by  law  for  military  systems.  [AMR 
71] 

The  support  access  characteristics  were  similar  in  all 
systems.  Access  at  the  assembly/procedure  oriented  language 
level  is  needed-  to  debug  programs,  maintain  hardware,  and 
establish  system  operating  conditions.  In  all  government 
systems,  this  support  activity  was  conducted  only  at  local 
terminals  within  the  secure  computer  area,  where  common 
procedural  techniques  were  relied  on  to  limit  access  to 
cleared  personnel. 

The  accessibility  afforded  to  support  personnel  in 
commercial  systems  has  received  more  attention  in  terms  of 
the  development  of  sophisticated  automated  security 
techniques.  The  primary  reason  is  that  military  systems 
have  developed  strong  procedural  techniques  (clearance 
procedures  for  personnel,  security  requlations   with   formal 
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legal   penalties  for  infractions)  that  are  not  available  for 
use  in  commercial  systems. 

Security  requirements  determined  by  the  need  for  support 
access  include  (1)  the  ability  to  isolate  access  to  programs 
and  data  to  only  those  authorized  to  maintain  the  particular 
program/file,  (2)  the  ability  to  effectively  restrict 
maintenance  personnel  to  the  maintenance  of  specific 
software  routines,  (3)  the  need  for  procedures  to  insure 
that  programs  are  completely  debugged,  (4)  the  need  to  audit 
files  for  unauthorized  changes,  (5)  the  ability  to  determine 
if  equipment  is  operating  properly  before  it  is  placed  in 
the  system,  (6)  the  ability  to  detect  and  control  changes  to 
systems  routines,  (7)  the  ability  to  bound  dumps  of  memory 
and  peripheral  storage,  (8)  the  ability  to  determine  that  a 
program  only  performs  the  function  for  which  it  was 
designed,  and  (9)  the  ability  to  restrict  access  by  internal 
control  tables. 


B. 


FAILURE  ACCESS 


The  threat  of  compromise  from  the  release  of  data  or 
programs  due  to  hardware  or  software  failure  is  common  to 
all  systems  and  represents  a  potential  means  of 
unintentional  penetration.  Such  failures  can  involve  the 
coupling  of  information  from  one  user  with  that  of  another 
user,  rendering  the  files  or  programs  unusable.  They  could 
result  in  defeat  or  circumvention  of  security  measures,  or 
unintentional  change  in  security  status  of  users  files  or 
terminals.  Accidental  disclosures  may  also  occur  by 
improper  actions  of  machine  operating  or  maintenance 
personnel  without  deliberate  intent. 

Security  requirements  determined  by  the  need  for  failure 

control   include   the  following:   (1)  the  ability  to  trap  to 

software  error  routines  when  parity  errors  are   encountered, 

(2)   the  ability  to  prevent  circumvention  by  software  "bugs" 

of   the   partitioning   technique   that   isolates   data    and 
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programs  from  unauthorized  access,  (3)  the  need  to  check  out 
and  certify  program  changes  and  equipment  repairs  to  ensure 
that  they  are  operating  correctly,  (4)  the  need  to  maintain 
the  protection  mechanism  when  a  system  error  is  encountered, 
(5)  the  need  to  recover  from  failure  without  revealing 
protected  data  and  system  tables,  (6)  the  need  to  protect 
back-up  files,  and  to  certify  that  the  appropriate  Lackup 
file  is  loaded. 

C.   DELIBERATE  PASSIVE  ACCESS 

Electromagnetic  radiation,  wiretapping,  and  "bugs"  can 
be  used  on  all  systems  if  proper  security  techniques  are  not 
implemented.  Electromagnetic  radiations  from  computer 
equipment  pcwer  lines  and  communications  lines  can  be 
detected  and  decoded.  Wiretapping  into  communications  lines 
can  be  used  to  send  and  receive  data.  The  planting  of  bugs 
or  recording  devices  is  possible  if  proper  area  security 
precautions  are  not  used.  Techniques  that  are  applicable  to 
this  category  of  requirements  are  cryptographic  data 
transformations  and/or  shielded  lines  for  communication 
links,  and  maintenance  of  a  properly  secured  area. 

Security  requirements  determined  by  the  need  to  prevent 
deliberate  passive  access  include  conventional  red/black 
(classified  lines  &  unclassified  lines)  isolation 
requirements  as  well  as  (1)  the  ability  to  encode/decode 
transmitted  data  so  that  it  cannot  be  deciphered.  (2)  the 
need  to  certify  that  hardware  either  can  not  be,  or  has  not 
been  tampered  with  and,  (3)  the  ability  to  make  stored  data 
unintelligible  to  direct  dumping. 


11 


>» 

.Q 

1 

bO 

T3 

pi 

G) 

•H 

-P 

CQ 

•H 

to 

O 

a> 

i-l 

ctf  o 

P< 

-p  o 

X 

a  u 

Q> 

H 

T3    P< 

© 

Jz; 

o  o 

^ 

W 

■P  -P 
0)   <D   a> 

"  § 

pq 

«  to  to 

O 

Pi  cd  3 

•P 

C55 

O  ^  X! 

ctf 

s 

^5   O   O 
-P 

P« 

pi  U  U 

^J 

e 

CCS   O  o 

Pi 

E-4 

M 

£3    W   CQ 

« 

CO    CO 

r> 

-P  o  o 

O 

p!  o  o 

w 

cd  o  o 

CO 

CD 

o 

Pi 

H 

ft,  *   # 

CO 

«3J 

PQ 

CO 

g 

g 

«Sj  CO 

CD 

wsc 

> 

PHH 

•H 

Eh 

to 

Js  CO 

CO 

CQ    CQ 

o  >h 

CQ 

CQ   d 

M  CO 

o 

Q    P< 

CO 

o 

o 

Whl 

o 

O    CD 

fi>^ 

co" 

rt  -p 

< 

rt 

fe 

-p 

o  u 

oo 

Pt 

U    O 

CQ  ! 

EH 

o 

3  JQ 

CQ  ! 

CO 

P<rH  -H 

<D 

WJ3 

PVH  H 

O 

CO  o 

—< 

CS    CD 

o 

CO  s 

CO  Ct 

rf 

<£ 

h^O 

* 

*   * 

o  o 

■ 

CO 

<D 
CQ 
2 

^  ^ 

«  w 

'O 

J^E-i 

§   Pi 

E-t  CO 

<X 

o 

W  CO 

G«H 

t«1 

O-P 

ffl 

•H  rt 

a  o 

-P   o 

o  < 

rf  -H 

M  W 

O  <M 

CO 

O  -H 

w  o 

H  CO 

QB 

CQ 

CO 

CQ 

<DHl< 

P^  « 

CD 

to  as  H 

O  ^ 

O 

<3 

c  o 

.-3 

o 

3 

•H 

CO  ^3 

ctf 

tO  fi  ctf 

K  o 

C| 

PiP 

CO  M 

Ph 

C3 

cd  n5 

CO  H 

a 

h-3 

En  Q 

<  PC 

CO 

tA< 

!=>  * 

*   * 

O  P-t 

7: 


CQ 
■P 
P! 
<D 

s 

(D 
P. 
•H 
P$ 
O1 
CD 
« 

•P 

ti 

o 

Q> 
CQ 

13 
<D 
-P 
CO 
>> 
CO 

o 

PS 

B 

<D 
•P 
O 
Q 

-P 

Oh 
p,u. 

0 
■P 

<D 

a 

♦H 
CQ 
<D 
ft 

o 

CQ 
O 
CQ 

CQ 

a 

H 

o 


12 


IV.    SECURITX  REQUIREMENTS  PARTICULAR  TO  A  GIVEN  SYSTEM 

Systems  differ  in  their  interface  with  the  system  user. 
The  user  of  the  system  exercises  the  system  for  its 
functional  purpose  and  is  not  concerned  with  its  design, 
implementation,  or  maintenance.  User  accessibility  to  a 
system  is  defined  by  the  type  of  system  interface,  the 
language  capability  offered,  and  the  clearance  of  data  and 
users  provided.  Different  combinations  of  these  imply 
increasingly  sophisticated  levels  of  access  rights  and  hence 
different  possibilities  of  penetration  attempts.  User 
access  capability  that  directly  relate  to  security 
requirements  are  language  capability,  terminal  location  and 
usage  and,  user  and  data  clearance  levels. 

A.   USER  LANGUAGE  CAPABILITY 

The  user  interfaces  with  the  automated  system  in  either 
an  off-line  or  an  on-line  mode.  In  an  off-line  mode  he 
submits  reguests  for  data  services  to  support  personnel  and 
receives  as  his  output  printed  reports.  This  mode  of 
operation  is  typical  of  closed  shop  batch  systems.  Their 
security  reguirements,  in  so  far  as  they  concern  the  user, 
differ  from  manual  systems  only  by  the  addition  of  a 
requirement  for  security  within  the  secure  area  cf  the 
computer  facility. 

In  the  on-line  mode,  the  user  is  provided  a  capability 
to  reguest  data  services  directly  from  the  computer 
eguipment  by  means  of  some  input  (generally  remote)  device. 
His  form  of  interaction  with  the  computer  can  vary  from 
rigid  requests  for  predetermined  fixed  transaction 
input/output,  to  use  of  a  free-form  query  language,  and 
entry  of  actual  computer  programs  in  procedure  oriented  or 
assembly  language.  Increased  security  requirements  are 
dictated    as   the   level   of   capability   to   access   data 
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increases. 

Fixed  transaction  input/output  allows  the  system 
designer  to  predetermine  what  will  be  the  specific  input  and 
output  allowed  for  a  given  user  at  a  given  terminal.  The 
ability  to  enter  and  execute  POL  or  assembly  language 
programs  places  the  user  at  almost  the  same  capability  as 
support  personnel  and  could  allow  circumvention  of  security 
technigues  implemented  for  fixed  format  or  free  form  guery 
capabilities.  A  higher  level  of  security  reguirements  is 
necessary  to  provide  protection  against  this  increased 
language  capability.   See  figure  2. 

B.  TERMINAL  LOCATION  AND  USAGE 

The  ability  of  a  user  to  access  or  change  data  from 
remote  terminals  suggests  penetration  methods  not  possible 
in  a  system  with  only  local  terminals  within  a  secure  area. 
The  communications  lines  must  be  protected  and  systems  or 
user  errors  could  allow  release  of  data  outside  the  secure 
area.  Additionally,  the  vulnerability  of  a  remote  terminal 
secure  area,  especially  in  a  tactical  military  system,  is 
greater. 

System  security  reguirements  are  also  influenced  by  the 
use  of  the  terminals;  that  is,  whether  there  is  only  one 
class  of  need-to-know  at  a  given  terminal  or  whether  there 
are  multiple  classes  of  need-to-know  at  a  given  terminal. 
Multiple  need-to-know  at  a  given  terminal  reguires  that  the 
system  be  able  to  identify  the  different  user  classes  at  a 
given  terminal  and  provide  protection  against  "browsing"  and 
"masguerading" . 

C.  DATA  CLASSIFICATION 

The  security  classification  of  data  is  an  expression  of 
the  value  of  the  information  to  national  defense  and  hence 
the      seriousness      of      its      unauthorized      access      or      change. 
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Systems  which  handle  Top  Secret  data  have  a  higher  security 
requirement  than  those  which  handle  data  of  lower 
classification.  In  a  security  requirement  sense,  if 
different  levels  of  data  classification  exists,  the  security 
design  problem  increases  since  techniques  must  be 
implemented  to  isolate  the  different  levels,  provide  the 
proper  deqree  of  security  protection,  and  guard  against 
unintentional  or  deliberate  attempts  to  gain  access  to  data 
at  unauthorized  security  levels. 

Three  levels  of  security  requirements  exist  dependinq 
upon  the  classification  of  data  in  the  system  and  the  level 
of  clearance  of  the  user:  (1)  the  data  classification  is 
all  one  level  (such  as  Secret)  and  all  users  are  cleared  to 
that  level.  (2)  different  data  classification  exists  (Top 
Secret,  Secret,  Confidential)  with  users  of  different 
clearance  levels,  and  (3)  unclassified  data  exists  with 
classified  data  and  uncleared  users  are  allowed  to  access 
the  unclassified  data.  The  security  requirement  increases 
as  data  classif icati en  and  user  clearance  level  increase  in 
complexity. 
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V.    COMPARISON  BETWEEN  HARDWARE^  SOFTWARE^  and  PROCEDURAL 

TECHNIQUES 

The  comparison  of  hardware  and  software  techniques 
identifies  which  security  function  can  best  be  accomplished 
by  each  and  whether  combinations  of  these  techniques  are 
necessary  to  provide  adequate  protection.  A  comparison  of 
manual  versus  automated  systems  procedures  identifies  the 
similarities  between  the  two  systems  and  the  different 
approaches  taken  to  perform  the  security  function.  Such  a 
comparison  provides  a  method  to  judqe  the  relative  value  of 
automated  techniques  to  achieve  at  least  the  same  security 
level  as  manual  systems.  This  section  considers  first  the 
comparison  of  hardware  and  software  techniques  which  can  be 
used  for  security  purposes  and  then  considers  the 
similarities  and  differences  between  automated  and  manual 
system  security  procedures. 

Fiqures  4  and  5  provide  a  qualitative  assessment  of  the 
relative  merits  and  costs  of  the  techniques  discussed. 
These  costs  are  divided  into  three  areas.  Costs  for 
procedural  techniques  were  not  estimated. 

Response  time  -  the  cost  incurred  by  every  message  input 
to  the  system  expressed  as  an  effect  on  the  length  of  time 
that  a  message  . response  is  delayed  by  the  processing 
required  for  the  technique  in  question. 

Throuqhput  -  the  cost  incurred  by  the  system  expressed 
as  the  decrease  in  the  amount  of  processing  the  system  is 
able  to  accomplish  in  a  given  time  period  caused  by  the 
additional  processing  required  for  the  technique  in 
question. 

Procurement  -  the  cost  associated  with  each  technique 
expressed  as  the  degree  of  expense  involved  in  developing, 
maintaining,  and  servicing  the  technique  in  question. 

The  effect  in  each  case  is  described  as  low,  medium,  or 
high,   where   low   is   taken   to   mean   less   than  5  percent 
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increment  in  the  cost  of  the  system,  medium  to  mean   between 
5  and  10  percent,  and  high  to  mean  more  than  10  percent. 


A.   SOFTWARE  TECHNIQUES 

The  software  techniques  surveyed  are  described  and 
compared  in  terms  of  the  general  threat  to  which  they  apply. 
The  techniques  are  categorized  by  the  major  functional 
routines  of  an  on-line  system. 

1 •   User  Interface 

The  user  interface  is  the  point  at  which  the  user 
becomes  known  to  and  interacts  with  the  system.  In  a 
secure  system,  only  known  users  can  be  permitted  access. 
The  proper  identification  of  the  user  is  necessary  for 
accountability  and,  in  a  system  that  allows  multiple 
need-to-know  access  at  a  terminal,  to  determine  the  access 
rights  tc  be  associated  with  the  task  that  is  initiated  by  a 
users  input  request. 

a.  User  Security  Clearance 

The  user  security  clearance  is  the  assignment  to 
each  user  of  a  code  word  indicating  the  highest 
classification  level  of  data  to  which  he  has  been  authorized 
access.  Generally,  the  code  word  consists  of  three  bits, 
allowing  for  seven  combinations,  that  are  compared  on  a 
simple  eguality  test  against  the  security  classification 
code  of  the  data.  The  assignment  and  maintenance  cf  codes 
are  the  responsibility  of  either  the  security  officer,  the 
data  administrator,  or  support  personnel.  The  legal  pairs 
of  user  codes  and  data  classif iciation  codes  are  maintained 
in  most  cases  in  a  system  table  which  can  only  be  accesed  in 
executive  mode. 

b.  User  Access  Privileges 

If  it  is  necessary  to  link  individual  users  to 
subsets   of   the  available  data  or  processes,  then  seme  type 


18 


g 

p 


Pi 


n 

en  E* 
o  ^ 
o  o 


H 

<: 
w 

i 

§ 

CO 


M 

«-!-■ 

B 

o 

en 


w 

CO 

o 

GO 
W 


to 


P 
S 


o 

CO 


o- 
o 


4-1 

o 
r-l 
o 

>> 

m 


O 
-»-4 
-M 

tO 
t) 

-r4 


o 

e 
i 

o 

-M 
O 


T5 
0) 

e 

o 

+J 

I 

o 


o 
I 

o 


<D 
E 


O 
i-l 


n3 
6 


.  CD 

e 


-a 


-d 
o 


CD 


13 
CD 

6 
i 
o 

1 

o 


(0 
0) 


C7» 

1-1 

to 
to 

CD 
O 

o 
id 

V-4    <d 

to     13 


to 
u 

CD 

to 

& 


G 

CD 

-d 

-r-( 

4-» 

o 


rQ 

0) 
T) 
O 
O 

r-l  C 
fd  o 
d>  w 

r-(       O 

a 

4-t 

O     r-H 

id 

3     0) 

C  r-H 

C  r-4 


4-<  "d 

co  o 

T3  £ 

t-i  to 
w 

0)  'C 

-r4 

g  4-, 

o  o 

p.  c: 

e  o 

O  -r4 

O  4-> 


I 

CO 

to 
<0 

a 
u 

CD 
(0 

>-( 
o 
A 

O 

to 

-CS  T5 

fd    M 

cd   o 


r-1 

o 

*d    cd 

0) 


fd 
TJ 

44 
O 

to 

10 

O 


<a 

-r-« 

4-1 

c 

m 

-.H 

T5 

-H 

-r-4 

CO 

O 

Pi 

to 

to 

-H 

U 

to 

r0 

m 

CO 

fd 

f— I 

•r4 

4-" 

r-t 

O 

to 

O 

c 

to 

pV 

^ 

rd 

o 

-M 

r-4 

i-H 

rd 

73 

4J 

O 

»d 

rQ 

o 

f0 

c 

£ 

T» 

fO 

CD 

r: 

rn 

<a 

+J 

^ 

-1-4 

o 

f0 

o 

OJ 

X.   T3    ^4    -M 


to 

0) 

(1) 
i-H 


0) 

& 
o 


O 

CO 

to 

a 


-r-« 

(0 

CO 

10 

to 

d) 

<d 

o 

r-l 

o 

O 

<n 

V4 

u 

a> 

o 

to 

10 

C3 

:=> 

<0 

-l-l 

-d 

T> 

*d 

>4 

>H 

o 

s 

to 

CO 

to 

to 

<d 

<d 

cu 

P, 

to 
c 

03 


CD 

M 

> 

4J 

-r4 

4J 

-d 

d 

u 

o 

o 

O 

z 

to 

-M 

10 

fX 

CO 

10 

o 

-r4 

(0 

o 

r-4 

a. 

4-> 

c: 

-H 

o 
a 

O 

cu   d> 


o 

fd 

u 

0) 

to 


<d 
o 

-H 

4-1 

-r4 

to 

CO 

<d 


^:  c 

fd 

u 

O    -r4 

x; 

r-t 

rH 

r-4      CO 

rd 

<0 

ra    n3 

c: 

c; 

4-<  x: 

-H 

-r4 

C?TJ 

B 

S 

u 

-r4        C 

0) 

<3J 

Q    <d 

H 

H 

-H 

•d 


to 

0) 

44   Tj 
O     O 

o 

-r4     M 

-d 

id    U 
QJ    O 

V4 

4-»     10 

<v   o 

4J    Jw{ 

a>  e. 

>  a; 

d  4^ 

fC  to 

c:  ^ 

M     to 


V4 

o 

o 

to 

u 

<n 

x: 

CX 

o 

o 

r4 

rH 

to 

<d 

to 

c: 

CD 

•r4 

>H 

g 

a 
a 

CO 

■n 

H 

to 

19 


-H 

QJ 


o 


5 

o 


•s 


rd 

• 

D> 

T$ 

■H 

d) 

rC 

E 

1 

i 

• 

* 

-d 

O 

CJ 

«h 

G 

•h 

X. 

I 

■ 

-a 

qj 

e 


o 
G 


e 


-d 


-S 


(0 

-M 

o   o 

-M     C 


o 


r* 

o 


I 

-d 


■g 

I 

• 

-d 
cj 
6 


2  ^J 

<  "d 


to 
O 


o 

Vh 
+J 

to 


-d 
a> 

0) 


vh 


c: 

o 

-rH 

-M 

<0 

o 

-H 

M-» 

•rH 

CO 

to 

fd 

r—t 

O 

0) 

Q) 

rH 

-d 

-rH 

0 

tv. 

o 

to 

10 

-rH 

-M 

+J 

«*H 

(0 

to 

o 

•rH 

-H 

u 

r-H 

rH 

a 

to 

to 

to 

to 

to 

to 

qj 

QJ 

QJ 

o 

o 

o 

o 

o 

QJ 

o 

m 

rd 

•H 

rd 

Qj 

0) 

MH 

Q) 

r-H 

r-t 

r-H 

-.H 

-H 

>% 

"H 

u. 

t^. 

XI 

Ck 

HH 

o 

Vh 

r: 

p. 

o 

-l-J 

-rH 

-M 

c: 

4J 

C 

a 

'd 

0) 

3 

o 

E 

-rH 

o 

rH 

"H 

rH 

0) 

•rH     • 

to 

CJ 

rd 

to 

rd 

■>-> 

rd 

+-> 

fl 

r-H 

«0 

Q 

o 

Q 

c: 

o 

•rH 

-M 

<-> 

^ 

>% 

rH 

a> 

O 

rM 

c 

o 

QJ 

r-A 

o 

n> 

rH 

c 

-H 

•rH 

txi 

Lfl 

-d 

QJ 

f 
§ 


-t-> 

c 

o 

.  u 


T 

1 

Vh 

to 

r-A 

V 

0J 

a 

b 

l-t 

-M 

> 

to 

e. 

-  r-H" 

C 

tP   QJ 

fd 

to 

QJ 

-H 

to 

TJ 

r-i 

TJ    rH 

-rH 

r-A 

CJ    rH 

4-' 

QJ 

Vh 

to 

QJ 

QJ 

<d 

QJ     rd 

t-L 

rd 

-rH 

rd 

O 

O 

? 

to 

•rH 

tn 

••A     fj> 

rH 

d> 

4i    r-H 

-d 

o 

e 

o 

to 

to 

UH 

QJ 

HH     qj 

id 

0) 

to    >d 

rd 

Vh 

fd 

to 

-rH 

rH 

-H    rH 

c: 

rH 

-rH      VH 

Tf 

-M 

,Q 

r-\ 

QJ 

to 

to 

-H 

rH 

rJ   qj 

QJ 

-d 

^5 

O 

O 

to 

-M 

CO    -M 

r: 

-H 

b  > 

-rH 

QJ 

rQ 

Vh 

V 

rd 

U 

fd    •$ 

Vh 

i*    o 

4h 

« 

0 

fd 

rd 

CO 

f-\ 

O 

rH      O 

QJ 

0> 

-rH       tQ 

-H 

•rH 

% 

to 

-M 

o 

u 

rC 

O    Xi 

-M 

c 

-H 

to 

Vh 

QJ 

u 

3 

to 

fd 

QJ 

D> 

-M 

+J 

-H 

to   c 

to 

o 

> 

fd 

QJ 

-d 

rH 

QJ 

b» 

-H 

tr  -h 

Q) 

to 

to 

-H      QJ 

fd 

X. 

O 

rH 

QJ 

rH 

P. 

rH 

t^: 

r? 

to 

c   Z 

w 

-M 

Vh 

to 

0) 

•d   o 

rH 

-M 

-9 

3 

-M 

-H 

-d 

-r-\ 

-H 

-H 

to 

•H 

to 

O 

O 

ttJ 

rH 

s 

O 

d 

f4 

O 

m 

QJ 

-M 

> 

-d 

fd 

0) 

-d    rd 

o 

E 

a 

o 

■9 

-M    -M 

rd 

fd 

§ 

X 

r-K 

-H 

rd 

4J 

u 

rd    -M 

CJ 

Q) 

o 

u 

O     QJ 

•4-t 

c 

to 

V4 

c: 

•H 

2 

Vh 

QJ 

rd 

u 

q>    fd 

o 

rti 

rH 

< 

4-> 

^      rQ 

O 

z=> 

< 

G> 

w 

-H 

S 

*7* 

O. 

W 

-d 

fd 

«  TJ 

rd 

o 

-rH 

H-«      >% 

O.    QJ 

Vh 

O  QJ 
C    rH 

-H 
QJ    4-> 

rH  rH 
H  ^ 
rX,     e 


20 


-H 

x; 

X 

r£ 

x: 

x: 

x: 

Tl 

& 

0> 

tJ> 

& 

b> 

D« 

(I) 

-rH 

-rH 

-r-l 

-.-< 

-.-h 

-h 

e 

rC 

Xi 

,£ 

x 

x: 

x: 

•a 
g 


,s 

• 

t7> 

73 

t-i 

Q) 

x: 

£ 

i 

S 

.,-.•« 

O 

o 

r-l 

£ 

x: 


-rH 


TJ 


§ 

-H 

TJ 
CD 


<D 

i 

o 


-d 

cd 

i 
o 

rH 


r? 

o 

r-H 


A 
-h 

i 
-d 

CD 


TJ 
CD 
li 

I 

O 


<p 

T 

+J 

CS 

i 

3 

S3 

o 

<u 

o 

rH 

Vh 

1 

Vh 

o 

-H 

o 

&> 

CD 

r>. 

o 

>. 

3 

o 

c 

X 

o 

> 

CO 

to 

u 

-M 

t£ 

c 

CD 

a 

v-l 

10 

-rH 

0 

CD 

r-< 

0) 

r^ 

-rH 

•»H 

0) 

U 

o 

n 

+J 

c 

b> 

'0 

d> 

TJ 

U-. 

Vh 

u 

Vh 

3 

3 

-rH 

CD 

d» 

tx 

0 

i0 

•rH 

0) 

0 

o 

O 

o 

HJ 

r-H 

CO 

<o 

r-H 

+J 

r-H 

«4H 

V 

> 

xs 

cy 

3 

-H 

r-H 

r^ 

^ 

«fl 

•3 

Vh 

fS 

T? 

-rH 

X 

o 

> 

rH 

O 

TJ 

> 

(1) 

o 

!** 

4J 

ts 

CD 

Vh 

•rH 

•rH 

H-> 

4-> 

o 

a 

d 

0) 

W 

rH 

<+4 

c 

£ 

VH 

o 

+j 

£i 

£i 

° 

tr 

O 

0> 

O 

-rH 

-H 

0) 

CD 

o 

2 

in 

c 

o 

c 

C 

rH 

* 

X 

o 

■rH 

Q! 

-H 

4-> 

co 

-rH 

to 

-H 

c 

CD 

r-H 

a 

^ 

cy 

rH 

>"» 

C 

ia 

3 

-H 

CD 

V3 

o 

rH 

CO 

(0 

-^ 

to 

«-H 

Q)   . 

<+H 

-rH 

13 

c 

o 

4-> 

u 

CO 

-rH 

0 

M 

3 

+j 

Vh 

-rH 

TJ 

to 

-rH 

-M 

CD 

x: 

'd 

3 

3 

(0 

H-J 

r-\ 

O 

-M 

f-« 

CO 

•d 

crj 

T? 

3 

U 

4-> 

C 

TJ 

o 

O 

-rH 

CD 

3 

g 

CO 

a 

<D 

>N 

JO 

O 

O 

-rH 

o 

C 

CD 

^ 

a 

m 

rCj 

r*-« 

2 

3 

*-* 

-^ 

.Q 

"^ 

rH 

< 

£ 

+j 

M 

O 

CQ 

4-» 

Ci, 

O 

CD 


o 

1 

1 

n 

H-» 

b> 

0) 

p 

» 

o 

c 

<D 

Vh 

o 

c 

o 

o 

-rH 

g 

a 

CO 

Vh 

J3 

TJ 

Vh 

M 

Vh 

c 

i 

3 

O 

O 

CD 

O 

o 

0) 

4-< 

CD 

o 

r-H 

+J 

TJ 

-M 

-H 

-M 

O 

r-H 

r0 

£ 

CD 

-H 

-M 

-H     G 

^t 

.3 

+J 

-rH 

-rH 

N 

c: 

-rH 

Vh    O 

l-i 

(0 

c: 

TJ 

-rH 

o 

-d 

15    "H 

H-> 

+-> 

fC 

r5 

r-H 

r-H 

g 

CD 

CO 

« 

Ifl 

TJ 

CD 

^ 

c 

f0 

o 

M      rH 

o 

a 

c 

rH 

Vh 

o 

Vh 

Vh 

Vh 

<0 

O    r-l 

t? 

o 

<o 

3 

3 

D> 

■r-t 

H-> 

+J 

O 

-!-> 

O     r-\ 

c 

r-H 

rH 

TJ 

TJ 

O 

-M 

C 

C 

Vh 

<a 

r*.      O 

-rH 

CD 

4J 

CD 

O 

M 

rCJ 

CD 

o 

Vh 

Q 

a    O 

v; 

"->> 

CO 

_ii 

Zii 

o. 

-M 

L> 

o 

W 

21 


X. 

X. 

JS 

D> 

Cn 

D> 

1-1 

1-1 

i-i 

g 

X 

X 

X 
1 

» 

g 

•H 

• 

• 

-H 

5 

TJ 

£ 

S 

■o 

* 

tj 

•0 

s 

tj 

o 

O 

O 

o 

CO 

o 

0) 

<D 

o 

Q> 

rH 

H 

rH 

g 

rH 

g 

g 

.-1 

g 

X 

X 

• 

• 

tn 

• 

D> 

TJ 

X5 

TJ 

-rH 

T* 

-H 

g 

<D 

CO 

£ 

0) 

X 

03 

X. 

g 

3 

g 

g 

3 

g 

1 

g 

1 

p 

•H 

i 

i 

i-< 

i 

• 

I 

• 

-H 

:? 

tj 

^ 

£ 

T5 

s 

•a 

£ 

TJ 

-d 

o 

0 

o 

o 

co 

o 

o 

.  o 

Q> 

0) 

rH 

u 

.—t 

<-H 

e 

rH 

g 

rH 

g 

g 

TJ 

TJ 

a 

<D 

g 

g 

g 

i 

1 

-rH 

*.- 

£ 

»^ 

•^ 

3 

:? 

S 

£ 

T5 

>5 

• 

b 

6 

6 

b 

o 

o 

o 

O 

O 

b 

H-J 

rH 

rH 

rH 

r—i 

rH 

r-< 

rH 

rH 

g 

rH 

C 

o 

to 

c: 

TJ 

to 

Q> 

H 

<o 

to 

C 

t/> 

M 

>> 

(0 

-H 

c; 

ttj 

o 

O 

o 

-H 

rH 

TJ 

-M 

rH 

Uh 

o 

u 

-H 

<o 

b> 

CO 

Vh 

-M 

CO 

XI 

<U 

-H 

-H 

2 

to 

to 

c. 

TJ 

£ 

C 

N 

o 

X, 

to 

-M 

t£ 

to 

0 

f0 

•H 

TJ 

Vh 

O 

-H 

tP 

to 

<TJ 

•H 

-H 

O 

X 

to 

CO 

CD 

rH 

l+H 

o 

-H 

<0 

rH 

tu 

C 

O 

o 

-M 

rH 

> 

^-i 

O 

o 

4-< 

rCj 

rH 

Q) 

o 

u 

3 

Iti 

O 

m 

X. 

4-< 

O 

c: 

c 

o. 

u 

o 

b» 

-M 

a 

4-i 

(0 

UH 

to 

© 

iC 

o 

TJ 

-M 

o 

ri 

f- 

p 

c 

O 

to 

b> 

tn 

Vh 

>-TN 

o 

0 

r^ 

^H 

rj 

6 

o 

o 

o 

Ch 

-H 

t; 

■Ji 

H-1 

c 

c 

rH 

c: 

H-J 

c 

rH 

4J 

0) 

u 

-rH 

o 

-rH 

to 

•H 

o> 

4-> 

-H 

to 

3 

4-< 

-H 

-H 

-rH 

a 

o 

rH 

4-< 

to 

TJ 

a 

Q> 

>H 

-H 

Vh 

+j 

tfl 

f0 

X. 

c 

r0 

(U 

CJ 

CO 

-H 

o 

O 

:? 

'.Q 

o 

4J 

r-i 

-M 

g 

c: 

Q) 

> 

^J 

to 

G 

rH 

rH 

U 

CO 

■> 

U 

n 

O 

4J 

o 

-H 

<—< 

Vh 

rH 

o 

T5 

to 

-H 

<t> 

0) 

fO     fC 

Tl 

f3 

TJ 

0) 

a> 

0) 

0 

TJ 

<n 

(1) 

o 

u 

-H 

0) 

4J 

> 

> 

4-J 

?6 

r* 

-M 

-M 

-M 

r* 

C 

xy 

<4h 

> 

to 

to 

o 

P 

c: 

o 

O    fO 

0) 

Uh 

C 

o 

+J 

OJ 

c 

fd 

o 

0) 

c: 

0) 

-H 

o 

o 

O 

M 

o 

-M   TJ 

^ 

O 

fH 

Q 

to 

o 

-H 

Oi 

u 

rH 

M 

rH 

a 

rH 

< 

U 

to 

>> 

0) 

u 

to 

to 

TJ 

to 

v< 

(0 
4-» 

& 

o 

g 

i 

10 

C 

to 

Q) 

o 

c. 

-H 

0) 

Vh 

4-> 

p' 

4-> 

M 

-M 

g 

c 

g 

tj> 

c. 

g 

x: 

-H 

V 

X, 

O 

3 

t> 

to 

to 

c 

+J 

o 

TJ 

Wt 

rH 

O 

•H 

o. 

to 

o 

D> 

4-< 

a; 

(3 

r> 

u 

o 

>-t 

03* 

o 

g 

O 

tfl 

-M 

to 

m 

o 

g 

o 

-3 

4-> 

TJ 

4-> 

co 

ca 

o 

to 

O 

rH 

(1) 

O 

c 

> 

w 

>, 

f0 

>s 

4J 

3 

4-< 

O 

4-1 

-H 

-rH 

-H 

GJ 

»H 

4-< 

c 

o 

f0 

o. 

-H 

IM 

4-» 

O 

<c 

>. 

-H 

OJ 

0 

D> 

O 

Vh 

-H 

u 

2 

o 

TJ 

u 

Vh 

ri 

3 

c 

4-J 

o 

u 

•-, 

CO 

to 

o 

u 

03 

C 

o 

3 

o 

-rH 

rH 

M 

(0 

to 

rH 

<D 

3 

n 

U 

o 

Vh 

g 

0> 

Vh 

CO 

rtf 

13 

>H 

* 

>. 

O 

£ 

O 

o 

rH 

-rH 

& 

o 

> 

rH 

rH 

W 

w 

.-} 

» 

S 

C'J 

Q 

w 

rH 

< 

•4H 

O 

o 

U 

23 


s 


g 


•r-t 


£ 

^ 

o 

o 

c 

c 

u 

tJ 

+J 

s^- 

«0 

-d 

O 

w 

0) 

w 

u 

to 

•H 

to 

tu 

<D 

o 

Dl 

fd 

ra 

fO 

-d 

rH 

o 

O 

O 

b> 

O 

c: 

4-» 

-«-< 

0> 

X 

-d 

-H 

c 

?S 

3 

*3 


w 

^ 

f0 

<1) 

^: 

-d 

Q) 

-rH 

to 

d> 

Us 

u 

o 

-.-« 

0) 

.-I 

W 

»-l 

w 

-.-« 

0) 

(0 

>T3 

rH 

.-« 

u 

-H 

o 

4-1 

fM 

23 


of  user  profile  must  be  developed  either  pointing  to  or 
specifically  identifying  the  user  access  privileges.  This 
profile  may  contain  the  identity  or  classification  of  the 
files  available  to  the  user,  the  manner  in  which  the  files 
can  be  accessed  (i.e.,  read,  write,  process,  modify  or 
erase)  the  degree  to  which  access  is  permitted,  the  specific 
terminals  from  which  the  user  may  operate,  and  the 
particular  processes  he  may  execute  (named  routines, 
standard  jobs,  or  precompiled  transactions).  [Glasser  67] 
The  user  profiles  themselves  are  maintained  as  a  system 
file,  normally  resident  on  secondary  storage  because  cf  its 
size.  Because  of  its  sensitivity,  the  data  contents  of  the 
file  are  usually  transformed. 
c.   Password 

The  password  is  the  privileged  identifier  that  a 
user  must  submit  to  obtain  entry  to  the  system.  From  a 
software  standpoint,  it  is  the  only  means  of  initially 
identifying  a  legal  system  user.  Passwords  may  be  required 
at  log-in,  at  both  log-in  and  log-out,  or  for  every 
transaction  executed.  The  more  frequently  the  password  is 
required,  the  less  likely  is  the  possibility  that  an  illegal 
user  will  obtain  entry  but  the  more  costly  the  user 
interface  becomes  in  terms  of  its  effect  on  the  thruput  and 
response  time.  Typed-in  passwords  range  from  3  to  18 
alphanumeric  characters  in  existing  systems,  are  either 
fixed  or  variable  in  length  and  may  contain  blanks.  No  data 
was  available  on  the  format  of  voiceprint  or  key-pattern 
passwords.  Passwords  remain  unchanged  in  some  systems,  are 
changed  periodically  in  others,  and  are  changed  at  irregular 
intervals  in  one  proposed  design.  [Weissman  69]  The  more 
freguently  the  password  is  changed,  the  higher  are  both  the 
maintenance  cost  and  the  error  rate.  Passwords  are  either 
assigned,  generated,  or  selected  using  some  standard  random 
number  generator. 

Although  it  has  been  shown  that  any  password 
scheme  can  eventually  be  broken,  the  degree  of  difficulty  of 
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doing  so  exceeds  that  of  opening  a  3-way  50-number 
safe-combination  when  the  password  exceeds  five  alphanumeric 
characters.  Some  systems  attempt  to  detect  password 
tinkering  by  assuming  that  a  fixed  number  of  consecutive 
illegal  attempts  (usually  2)  from  the  same  terminal  is 
sufficient  cause.  Legal  passwords  are  maintained  in  every 
case  as  a  system  table. 

d.  Password  Dialogue 

Since  it  is  possible  to  eventually  break  any 
password  scheme,  several  variations  of  the  technigues  have 
been  suggested  to  obtain  more  foolproof  identif icaticn  of 
legal  users.  One  such  variant  is  to  reguire  the  user  to 
engage  in  a  form  of  dialogue  with  the  system  after  the 
initial  password  is  validated.  This  dialogue  requires  the 
user  to  provide  responses  either  unique  to  himself  (his 
payroll  number  in  one  case;  another  password  in  another 
case;  a  user  defined  item  of  personal  knowledge  in  a  third 
case)  or  to  perform  some  relatively  simple  algorithm  on 
either  a  system-supplied  random  variable  or  some  transitory 
guantity  (time  of  day,  date,  etc) ;  the  system  performs  the 
same  algorithm  and  checks  the  validity  of  the  response. 
[  Babcock  67]  (e.g.,  system :  "enter  password",  user:  shazam, 
system:"OK.  enter  key",  user:  3750094)  Once  again,  the 
scheme  is  susceptible  to  penetration,  but  the  level  of 
difficulty  has  been  raised  significantly  -  at  a  cost  in 
increased  terminal  response  time  and  communication  line 
loading.   [ Baran  64] 

e.  Consecutive  Password  List 

Another  variation  of  the  basic  password 
technigue  is  to  assign  a  list  of  legal  passwords  to  each 
user.  The  system  will  accept  only  the  next  password  on  the 
list  each  time  that  the  user  enters  his  password.  This 
makes  it  extremely  difficlt  to  obtain  a  legal  password 
through  either  passive  deliberate  penetration  attempts  or 
active  tinkering  with  password  combinations,  but  it  also 
requires   hard   copy   lists   of   legal   passwords  to  be  made 
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available  to  users  and  inevitably  produces  a  greater  number 
of  erroneous  entries  by  legal  users.  In  spite  of  these 
drawbacks,  consecutive  passwords  for  each  input  has  been 
accepted  as  an  alternative  to  encrypted  data  links  in  one 
military  system.  [ Weissman  69] 
f.   Password  Transform 

Since  the  list  of  legal  passwords  is  considered 
to  be  extremely  sensitive  information,  it  is  usually 
resident  in  core,  and  is  frequently  appended  to  program 
status  blocks.  Several  systems  have  taken  steps  to  prevent 
its  being  obtained  either  deliberately  or  accidentally  by  a 
readout  from  core.  These  steps  involve  implementing  various 
transformation  techniques  on  passwords  received.  Huffman 
encoding  is  used  in  one  system;  a  simple  transposition  of 
digits  is  used  in  another;  an  algorithm  to  produce 
non-reversible  inversions  is  implemented  in  a  third. 
[ Petersen  67  ] 

2 •   Terminal  S  ubsystem 

Nearly  all  of  the  systems  surveyed  provided  for 
on-line  terminals  and  a  significant  part  of  the  software  in 
these  systems  is  that  associated  with  terminal 
characteristics.  Less  significant,  however,  are  the 
software  techniques  implemented  to  account  for  security 
requirements  arising  from  remote  terminals.  Terminals  must 
be  discretely  identified  to  insure  that  data  is  transmitted 
to  the  correct  location.  Terminals  at  remote  sites  are 
susceptible  to  com  irunication  errors  on  transmission  due  to 
noise,  may  be  easily  expropriated  for  illegal  use,  and  are 
subject  frequently  to  public  or  semi-private  display  and  the 
subsequent  casual  eavesdropping. 

a.   Error  Correction  Methods 

The  most  obvious  problem  with  terminals 
connected  to  a  system  through  communication  lines  is  the 
noise   factor   on   the   communication   lines  themselves.   It 
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introduces  the  possibility  that  illegal  values  or  erroneous 
addresses  may  be  input  in  otherwise  valid  messages.  Methods 
have  been  developed  in  many  systems  to  reduce  the  effects  of 
noise  in  transmission.  They  include  hash  totals  (i.e., 
cumulative  adds)  of  characters  or  bits  in  the  message; 
parity  check  bits  and  longitudinal  redundancy  checks  to 
detect  garbled  words;  and  retransmission  to  compare 
duplicate  results. 

b.  Terminal  Answerback 

Since  it  is  possible  to  piggyback  illegal 
terminals  onto  legal  circuits,  particularly  in  dialed  and 
switched  network  systems,  methods  have  been  developed  to 
uniguely  identify  legal  terminals.  Often,  the  identity  is 
established  by  comparing  the  expected  terminal  address  to  a 
hard-wired  terminal  identifier  that  automatically  transmits 
(i.e.,  "answers  back")  an  identification- key  (20 
alphanumeric  characters  in  the  system  where  this  figure  was 
published)  with  each  input  message  or  in  response  to  a 
reguest  code  preceeding  each  output  message.   [CDC  66] 

c.  Terminal  Profile 

The  classes  of  data  and/or  users  that  can  be 
legally  associated  with  a  given  terminal  are  defined  in  a 
terminal  profile  list.  This  list  is  an  extension  of  the 
terminal  address  table  maintained  by  the  executive.  It 
usually  only  describes  the  highest  security  classification 
of  data  that  can  be  output  to  a  given  terminal.  It  may  also 
include  a  list  of  specific  transactions  that  can  be  executed 
from  that  terminal  and/or  a  list  of  explicitly  named  users 
who  may  access  through  the  terminal.   [Heissman  67] 

d.  Terminal  Character  Suppression 

Any  on-line  terminal  that  is  used  to  input 
identification  codes  is  susceptible  to  both  casual  and 
deliberate  eavesdropping.  There  are  two  variations  of  a 
technigue  to  reduce  the  vulnerability  of  input  codes.  In 
the  case  where  hard-copy  is  used,  the  system  strikes  over 
the   number   of  positions  reguired  for  identifier  codes  each 
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time  such  a  code  is  expected  from  the  user.  This  provides  a 
marginal  degree  of  protection.  In  the  other  case,  a  code  is 
transmitted  to  the  terminal  to  suspend  printing  or 
display-images  on  the  text-line  in  which  an  identifier  code 
is  expected  by  the  system. 

e.   Automatic  Alarm  and  Disconnect 

If  the  system  is  able  to  detect  that  a  terminal 
or  a  terminal  connection  is  being  used  for  (attempted) 
illegal  input,  it  is  necessary  to  provide  an  alarm  to  alert 
the  control  group  and  to  isolate  the  suspect  terminal  from 
the  system.  Obviously,  the  alert  should  include  the 
terminal  address.  It  could  also  include  the  nature  of  the 
attempted  input.  Since  it  may  be  advantageous  not  to  alert 
the  interloper  that  his  prescence  has  been  detected,  the 
isolation  of  the  suspect  terminal  in  one  suggested  plan 
would  still  permit  it  to  remain  linked  to  the  system  by 
engaging  the  user  in  a  series  of  guestions  and  delays.  In 
most  cases,  however,  the  terminal  is  disconnected  and/or  the 
keyboard  is  locked  to  prevent  further  communication. 
Bringing  the  terminal  on-line  again  usually  reguires  that 
the  security  officer  or  control  group  input  a  special 
identifier  code. 

3 •   E xec uti ve/ Mon itor 

The  heart  of  any  multi-programming  system  is  the 
executive  control  routine.  It  is  the  most  complex, 
sophisticated,  and  important  component  of  the  software.  By 
its  very  nature,  it  is  perhaps  the  most  difficult  to 
penetrate  but  then,  it  is  undoubtedly  the  most  rewarding. 
In  this  area  in  particular,  procedural  technigues  must  be 
relied  upon.  It  is  impossible  to  prevent  support  personnel 
from  leaving  "trapdoors"  or  potential  entry  points  in  the 
software  and  the  need  for  integrity  of  and  confidence  in 
support  personnel  is  paramount.  Many  of  the  technigues 
developed   in   this   area   also   reguire   parallel   hardware 
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features. 

a.  Privileged  Instructions 

Given  that  the  hardware  has  a  master/user  mode 
capability,  the  set  of  instructions  that  can  be  executed  in 
the  master  mode  are  regarded  as  privilegded  instructions. 
Since  they  are  intimately  involved  with  system 
control , (e. g. ,  the  setting  and  resetting  of  bounds 
registers,  the  initiation  of  channel  commands,  the  loading 
of  read/write  address  registers,  the  deciphering  of  internal 
and  external  interrupts)  they  have  an  immediate  application 
to  security  requirements.  They  should  be  used  sparingly  and 
should  be  concentrated  in  a  few  easily  associated  routines. 
The  routines  should  operate  in  priviledged  mode  as  briefly 
as  possible,  branching  to  user  mode  to  perform  the  function 
initiated.  Dispersing  priviledged  instructions  in  many 
executive  routines  simply  improves  the  chances  for  trapdoors 
and  illegal  circumvention. 

b.  Relocatable  Bootstrap 

If  it  were  possible  to  bypass  protection  keys 
and  to  gain  access  to  areas  of  memory  normally  reserved  for 
the  executive  and  its  tables,  then  it  would  also  be  possible 
to  read  any  of  the  access  lists  and  authority  tables 
controlled  by  the  executive.  One  technique  suggested  to 
reduce  the  likelihood  of  this  occurring  is  tc  perform 
bootstrap  loading,  of  executive  routines  from  a  changing  key 
address.  In  this  manner,  executive  routines  and  tables  no 
longer  have  absolute  locations  relative  to  each  other  and  to 
the  user  partitions,  and  only  haphazard  location  of  the 
secured  routines  would  be  possible.  Because  of  its 
potential  effect  on  the  efficiency  of  the  system,  the 
technique  has  only  been  discussed.   [CDC  66] 

c.  Redundant  Coding 

Since  it  is  possible  to  modify  code  prior  to 
loading,  it  has  been  suggested  that  key  routines  exist  as 
multiple,  discrete  copies,  and  that  requests  for  the 
services   of   these  routines  be  executed  in  parallel  by  each 
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copy.  The  results  can  then  be  compared,  including  number  of 
instructions  executed.  The  effective  cost  of  this  approach 
is  high  even  in  a  multiprocessing  system,  but  it  further 
insures  that  key  security  routines  cannot  be  modified  or 
executed  without  detection.   [Molho  70] 

d.  Module  Dialogue 

In  any  calling  sequence,  the  parameters  passed 
between  modules  are  usually  specified  as  a  part  of  the 
standard  call  macro.  It  has  been  suggested  that  this  be 
modified  some-what  in  those  cases  where  it  is  feared  that  an 
interloper  may  substitute  his  own  code  for  a  system  routine. 
At  random  points  in  the  routine  in  question,  private  call 
parameters  known  only  to  the  programmer  responsible  for  that 
routine  can  be  inserted.  The  routine  called  (or  calling)  is 
also  prepared  to  expect  the  interpersed  dialogue  words. 
Since  these  would  be  difficult  to  detect  in  absolute  code, 
it  would  raise  considerably  the  level  of  difficulty 
associated  with  making  such  code  substitutions. 

e.  Program  Interpretation 

Since  it  is  difficult  to  detect  subtle  changes 
in  absolute  code,  it  has  been  suggested  that  programs  be 
loaded  through  an  interpreter  at  all  times.  If  the 
interpreter  includes  some  kind  of  code  optimizer,  each 
version  cf  a  program  in  its  absolute  code  form  would  be 
slightly  different  than  the  preceding  one.  In  this  way,  not 
only  would  it  be  difficult  for  a  penetrator  to  modify  or 
decipher  program  routines  (except  as  a  one-time  event) ,  but 
it  would  also  be  difficult  for  the  programmer  himself  to 
take  advantage  of  fixed  relationships  in  his  program  that 
might  permit  the  introduction  of  trap-doors. 

f.  Centralized  I/O  Control 

This  is  a  fairly  common  technique  employed  by 
most  third-generation  systems.  It  separates  application 
programs  from  direct  address  references  to  I/O  devices  and 
instead  requires  them  to  submit  macro  commands  that  deal 
with  the  device  as  a  logical,  virtual,  or  relative  extension 
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of  memory.  The  executive  then  generates  and  performs  the 
physical  I/O  commands  and  thereby  is  able  to  iraintain 
control  over  boundary  establishment  and  limited  units  of 
allocation.  Without  the  equivalent  hardware  capability  to 
trap  to  monitor  mode  whenever  privileged  instructions  are 
attempted,  this  approach  cannot  be  validated, 
g.   Error  Monitors 

In  a  system  with  many  users,  the  cost  of 
maintaining  security  can  increase  significantly  if  the  user 
error-rate  is  high.  This  technique  is  intended  to  maintain 
a  rating  of  the  capability  of  individual  users  to  perform 
the  procedures  associated  with  inputting  valid  transactions. 
If  their  errcr-rate  increases  beyond  a  predetermined  level, 
then  their  priority  in  the  system  is  decreased.  The  ccst  of 
maintaining  this  scheme  is  quite  high  however,  since  it 
requires  some  corresponding  method  to  re-evaluate  and  to 
certify  the  user's  capability, 
h.   Error  Interrupts 

Any  attempt  to  perform  an  illegal  operation,  to 
address  some  location  outside  of  assigned  boundaries,  to 
input  erroneous  data,  etc. ,  should  be  the  cause  of  an  error 
interrupt.  The  routines  to  handle  such  interrupts  can 
attempt  to  correct  the  error  and  resubmit  the  request,  abort 
or  suspend  the  user  in  question,  alarm  control  authorities, 
or  regard  the  error  as  acceptable,  flag  it,  and  continue 
processing.  Once  it  is  determined  in  monitor  mode  what  the 
interrupt  is,  any  further  processing  to  deal  with  it  should 
be  performed  in  user  mode  to  reduce  the  occasions  for 
illegal  execution  of  privileged  instructions. 

i.   Executive  Commands  By  Access  Rights 

This  technique  associates  a  category  code  with 
all  executive  command  routines  and  restricts  their  direct 
use  to  only  the  subset  of  users  cleared  to  the  eguivalent 
category  of  access. 

j.   Eoundary  Haps 

Boundary   maps  are  the  legal  units  of  allocation 
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assigned  to  given  users.  They  represent  the  direct  input  to 
base  and  limit  registers  that  determine  the  domain  in  which 
a  user  can  be  active.  Boundary  maps  in  most  cases  are 
stored  with  the  user  in  question  and  represent  a  potential 
means  to  illegally  extend  the  accessibility  afforded  a  given 
function  should  they  be  modified.   [CDC  66  ] 

k.   Memory  Access  Keys 

In  a  page  or  segment-oriented  system,  there  are 
usually  lock  registers  associated  with  each  physical  page  in 
memory.  When  a  user  is  assigned  to  memory,  his  identifier 
is  used  to  generate  a  unique  key  that  is  loaded  into  all  of 
the  page  registers  assigned  to  the  particular  user.  An 
address  reference  to  the  protected  pages  cannot  be  made 
unless  it  contains  the  appropriate  key-pattern  in  its  own 
key  register.  Obviously,  selected  executive  routines  must 
have  a  universal  key.  Setting  and  access  to  the  key 
registers  should  be  a  privileged  function.   [IBM  67] 

1.   Security  Monitor 

The  security  monitor  is  a  technique  that 
attempts  to  certify  the  validity  of  the  various  protection 
mechanisms  in  a  system.  At  its  simplest,  it  consists  of  a 
set  of  on-line  diagnostic  routines  that  exercise  the  various 
hardware  components  in  a  configuration,  expecting  a  valid 
operation  tc  produce  a  pre-designa ted  result.  In  a  more 
complex  form,  it  attempts  to  deliberately  execute  illegal 
hardware  or  software  operations  and  then  determines  whether 
or  not  the  responsible  protection  mechanism  has  successfully 
intercepted  and  handled  the  illegal  attempt;  this  version 
can  have  a  significant  effect  on  system  thruput  and, 
therefore,  requires  a  careful  consideration  of  what  are 
acceptable  and  expected  failure  levels.   [ Molho  70] 

4-   Ziie  Handler 

The  data  available  in  any  system  is  the   reward   for 
penetrating   the  system.   The  data  available  in  an  automated 
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system  significantly  increases  the  potential  reward  because 
of  the  large  amount,  the  anonymity  of  access,  and  the 
difficulty  of  detection.  Data  protection  is  traditionally 
obtained  by  assigning  responsibility  and  limiting  access. 
Techniques  to  accomplish  both  are  available  in  automated 
systems.  At  least  the  same  level  of  protection  can  be 
obtained  in  an  automated  system  as  in  a  manual  system. 

a.  File  Classification  Code 

This  technique  is  commonly  employed  in  most 
systems  that  deal  with  formally  classified  data.  It  simply 
involves  assigning  one  of  the  categories  of  classification 
to  each  data  file  and  then  either  assigning  the  file  only  to 
jobs  or  individuals  of  equal  or  higher  clearance,  or,  in  the 
case  of  shared  files,  releasing  data  from  the  file  only  to 
users  of  equal  or  higher  clearance.  A  somewhat 
adventuresome  extension  of  this  technique  is  to  attempt  to 
automatically  assign  classification  levels  to  new  files.  In 
one  system,  this  is  done  by  using  the  highest  classification 
from  contributing  files.  [ Weissman  69]  In  a  proposed 
scheme,  it  is  done  by  doing  a  key-word  count  and  weighing 
the  file  in  accordance  with  the  number  of  key-words 
encountered.  [Daley  65]  In  neither  case  was  it  shown  to  be 
statistically  more  or  less  effective  than  manual 
classification,  except  in  the  marginal  area  between 
unclassified  and  confidential. 

b.  File  Access  Lists  By  File 

An  extension  of  the  file  classification  cede  is 
the  assignment  of  specific  authority  lists  to  each  file. 
These  lists  describe  the  original  creator  (or  owner)  of  the 
file,  other  individuals,  group,  terminal,  etc.,  who  can 
share  the  file,  usually  the  manner  in  which  they  can  access 
the  file  (read,  write,  modify,  execute,  or  erase)  ,  and  the 
degree  to  which  access  is  permitted.  At  the  file  level 
only,  it  corresponds  to  the  cataloguing  function  of  most 
third-generation  systems.   [Glasser  67] 

c.  File  Access  Lists  By  Level 
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An  extension  of  the  previous  technique  that 
permits  it  to  be  used  in  a  more  flexible  environment  than 
that  described  by  formal  discrete  files  is  to  assign  access 
lists  to  levels  of  files,  or  to  individual  modes  in  data 
sets.  This  is  especially  useful  if  the  files  consist  of 
programs  arranged  in  some  kind  of  hierarchy  freer  common 
(free)  utility  routines  to  machine-oriented  (owned)  system 
routines.  The  cost  of  maintenance,  particularly  the 
determination  of  access  privileges  is  quite  high.   [Babcock] 

d.  File  Access  Profile 

If  a  number  of  users  with  different  need-tc-know 
interact  with  a  shared  set  of  data,  it  is  necessary  to 
distinguish  the  data  rights  of  each  user.  This  is 
accomplished  by  assigning  to  each  file  descriptor  a  profile 
word  that  contains  a  set  of  flag-bits,  each  flag-bit 
representing  a  unique  need-to-know  identifer.  In  the 
systems  utilizing  this  technique,  separate  profile  words  are 
assigned  for  read  and  update  access.  There  is  associated 
with  each  user's  profile  an  equivalent  word  with  the 
need-to-know  flag  assignment  according  to  his  requirement 
for  data.  A  one-to-one  correspondence  between  user  and  file 
profiles  at  each  flag  position  is  required  before  access  is 
permitted.   [Bingham  65] 

e.  Data  Element  Classification  Code 

This  is  identical  to  "file  classification  code" 
except  that  each  data  element  in  the  file  is  separately 
classified.  The  system  can  then  handle  files  with  mixed 
classes  of  data.  This  feature  greatly  reduces  the 
redundancy  associated  with  file  processing  since  it  permits 
the  grouping  of  data  by  functional  purpose  and  utilization 
rather  than  by  classification.  However,  it  raises  both  the 
cost  of  creating  files  and  the  cost  of  assigning 
andmaintaining  classification  categories.   [Weissman  69] 

f.  Data  Element  Profile 

This  technique  is  identical  to  "file  access 
profile"      except      that   the    system    can    now    discriminate   amonq 
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need-to-know  at  a  finer  level  of  detail.  It  is  usually 
impleraeted  by  assigning  an  update  word  and  an  access  word  to 
each  data  element  descriptor;  these  words  have  particular 
bit  settings  according  to  their  class.  Users  with  matching 
need-to-know  patterns  are  permitted  access  to  the  data 
element.  The  bit-patterns  are  combined  to  form  a  composite 
need-to-know  profile  for  each  data  reguest.  In  a  few 
instances,  the  data  element  profiles  also  contains  legal 
values  of  a  data  element  that  are  accessible  by  a  given 
class  of  users. 

g.   File  Encryption,  Single  Key 

Technigues  for  encrypting  data  have  been 
suggested  for  use  in  file  handling  systems.  In  most  cases, 
these  are  variations  of  cryptographic  technigues  applied  to 
communication  transmission,  and  consist  of  applying  a  single 
key  to  all  records  in  the  file.  However,  because  of  the 
large  number  of  records  in  most  data  files  and  because  of 
the  rather  consistant  pattern  of  field  occurrences,  this 
type  of  file  encryption  only  provides  a  marginal  increase  in 
protection.  Depending  on  the  amount  of  character 
manipulation  in  the  crypto  technigue,  CPU  thruput  cost  can 
be  guite  high.   [skatrud  69] 

h.   File  Encryption,  Multiple  Key 

A  variation  of  the  proceeding  technigue  that 
reduces  the  possibility  of  deciphering  is  to  use  a  different 
key  (either  a  cascading  or  random  number  seguence)  for  each 
record  or  for  certain  number  of  records.  This  breaks  the 
consistency  of  the  encoded  data  and  does  not  significantly 
affect  the  cost  of  encoding/decoding  process.  [Van  Tassel 
69] 

i.   Data  Edition  Number 

In  a  system  where  multiple  users  are 
concurrently  updating  a  set  of  shared  data  files,  it  is 
necessary  to  prevent  one  update  seguence  from  intruding  on 
another.  A  suggested  tecnhigue  is  to  assign  an  edition 
number  to  every  record  in  the  data  base.   Each  user  contains 
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the  latest  version  of  this  edition  number  in  its  associated 
data  buffer.  When  a  retrieved  record  is  to  be  written  back 
into  the  data  base,  the  file  handler  checks  the  user's 
edition- number  against  the  data  base  edition  number  and  only 
permits  the  update  if  the  edition  numbers  are  the  sane.  The 
file  handler  also  updates  the  edition  number.   [Corbato  65] 

j.   Block- Write  Collision 

This  technique  addresses  itself  to  the  same 
problem  as  above,  but  does  not  attempt  to  control  the 
interaction  at  the  record  level.  Instead  of  an  edition 
number  a  block-busy  flag  is  assigned  to  each  file  segment. 
When  a  segment  is  retrieved  for  update,  the  block-busy  flag 
is  set,  as  are  all  antecedent  blocks  in  the  structure  (or 
only  the  highest  level  block  if  the  entry  point  is  always 
top-down  through  the  same  index) .  The  busy-flag  is  left  on 
until  the  user  has  indicated  completion  of  the  update  and 
the  file-handler  has  modified  the  affected  index  blocks. 
[ Babcock  67  ] 

k.   Ring  Structures 

Eing  structures  are  a  combination  of  logical 
layers,  or  rings  of  data  grouped  by  sensitivity,  and 
identifiers  associated  with  each  user  that  describes  the 
equivalent  sensitivity  of  the  user.  It  is  permissable  for  a 
user  to  access  and/or  execute  any  data  or  routine  in  its  own 
ring.  When  a  call  is  made  to  a  segment  in  another  ring,  the 
system  traps  to  a  gate  controller,  which  determines  if  the 
called  ring  is  more  or  less  sensitive.  If  the  sensitivity 
is  less,  then  the  call  is  linked  to  the  ring  in  question. 
If  it  is  greater,  then  a  check  is  made  of  the  access  list 
associated  with  the  requested  segment.  This  list  identifies 
legal  users  (or  classes  or  users) ,  and  indicates  the  type  of 
access  and  the  particular  entry  point  at  which  they  nay  use 
the  requested  segment.  The  gate  controller  then  establishes 
the  required  linkages.  To  prevent  repetitive  calls  to  the 
gate  controller,  upper  and  lower  bounds  can  be  assigned  to 
each   type   of   access   for   any  user;  requests  to  any  rings 
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within  those  bounds  are  automatic  and  equivalent  to 
operating  within  the  ring  of  the  requesting  user.  The 
system  that  implemented  this  technique  had  special  hardware 
registers  to  check  the  ring-brackets  of  segment  requests. 
[ Glasser  67] 

5.   Others 

Various  other  software  techniques  were  encountered 
during  the  data  collection  phase  that  do  not  conveniently 
fit  into  the  preceeding  categories.  For  the  most  part, 
these  techniques  have  to  do  with  using  the  automated  system 
to  simplify  or  extend  some  of  the  procedural  requirements  in 
a  secured  system. 

a.  Document  Log 

Some  systems  automatically  maintain  an 
accountability  log  making  an  entry  each  time  that  a 
classified  report  is  related  to  a  user.  This  log  includes 
the  date  and  time  of  the  original  request,  the  parameters 
specifying  the  report  extraction  criteria,  and  the  terminal 
and  user  identification.  The  security  log  is  available  only 
to  an  identified  security  officer. 

b.  Erroneous  Attempts  Limit 

This  technique  is  applied  -  at  several 
intersection  points  between  a  user  request  and  system 
function.  Since  a  potential  interloper  can  tinker  with 
legality  checks  at  any  one  of  these  points,  it  is  necessary 
to  set  some  limit  on  the  number  of  consecutive  illegal 
inputs  that  will  be  accepted  from  any  user.  Some  type  of 
on-line  monitoring  is  required  to  record  or  link  the 
sequence  of  requests. 

c.  Aggregate  Techniques  For  Reports 

A  serious  problem  in  on-line  system  is  the 
possibility  that  even  though  a  user  cleared  to  a  low  level 
of  access  can  only  access  data  legally  classified  at  or 
below   his   level,   the  aggregation  of  all  data  accessed  can 
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provide  the  basis  for  interpretive  conclusions  about  higher 
classified  information.  Techniques  have  been  suggested  that 
would  combine  the  access  profiles  (data  element  profile)  and 
all  data  elements  contained  in  the  report  into  a  new  profile 
that  would  yield  a  restricted  classification  of  the  report 
on  a  need-to-know  basis.  However,  this  cannot  prevent 
inferences  from  data,  and  more  work  is  needed  in  this  area 
to  determine  if  some  kind  of  weighting  of  information 
content  might  be  possible.   [Feige  69] 

d.  Overwrite  And  Memory  Erase 

Any  magnetic  recording  medium  retains  an 
electromagnetic  image  of  the  recorded  data  for  some  time 
after  the  initial  impression.  This  residue  can  be  read 
directly,  albeit  inadvertently,  if  access  to  the  area  is 
obtained  or  picked  up  through  passive  deliberate  penetration 
attempts.  Since  both  primary  and  secondary  storage  in  most 
on-line  multiuser  systems  is  considered  to  be  virtual 
memory,  it  is  entirely  possible  that  an  area  in  which 
classified  data  had  been  stored  and  processed  could  be 
reassigned  to  a  user  having  a  lower  classification  level. 
To  prevent  this,  methods  have  been  developed  to  overwrite 
primary  memory  by  cascading  or  leapfrogging  thru  the  area 
and  writing  a  system  constant  (usually  zeros)  after  the 
memory  space  is  deallocated.  The  confidence  in  this 
technique  is  increased  if  it  is  procedurally  established 
that  every  user  routine  fills  its  scratch  area  with  a 
different  constant.  In  only  a  few  systems  is  the  same 
approach  used  for  secondary  storage,  since  the  time  required 
to  overwrite  deallocated  file  space  on  a  peripheral  device, 
particularly  one  with  a  single  read-write  head,  can  be 
considerable.  If  a  centralized  data  manager  is  used  by  all 
system  users  for  handling  data  files,  it  is  conceivable  that 
reallocated  space  can  safely  be  maintained  as  "dirty" 
storage  because  it  is  not  logically  valid  to  read  empty  file 
space. 

e.  Classified  Programs 
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This  technique  is  used  in  batch  oriented  systems 
where,  to  the  system,  a  user  consists  of  a  set  of  programs 
and  their  associated  data  files.  Since  the  programs  are 
designed  to  suit  this  single  set  of  data,  they  take  on  the 
classification  of  the  data  and  can  only  be  called  or 
modified  by  job  control  statements  input  with  the  proper 
classif icaticn  leader. 

f.  Classification  Headers  and  Trailers  On  Hardcopy 
and  Displays 

This  technique  is  an  extension  of  the  current 
procedural  technique  of  stamping  at  the  top  and  bottom  of 
every  classified  page  of  a  report  the  classification  level. 
It  is  usually  a  parameter  option  in  the  report  generation 
routine. 

g.  File  Log 

The  file  log  is  an  extension  of  the  security  log 
in  which  every  reference  to  classified  data  is  logged.  It 
can  include  the  previous  data  image  if  the  reference  causes 
a  change.  It  also  usually  includes  the  terminal,  user, 
time,  data,  and  data  parameters  associated  with  the 
reference. 

B.   HARDWARE  TECHNIQUES 

Many  of  the  hardware  techniques  required  for  security 
purposes  have  been  implemented  in  third  generation 
commercial  computer  systems  and  in  some  military  computer 
systems.  The  surveyed  techniques  are  assigned  to  categories 
that  correspond  to  the  major  devices  and  components  in  an 
on-line  system. 

1 •   Central  Processing  Unit  (CPU) 

Security  related  techniques  in  the  CPU  provide 
control  of  the  logical  processes  to  access  and  change  data. 
Techniques    that   isolate   and   control   the   operation   of 


39 


2 


8 


E 
3 
•H 

4; 


E 

3 

•H 


O 


e 

3 
■D 


5 

O 


•o 

Vh 
o 

.c 

«    to 
u   <u 

x   c 

I 
•C     10 

t.r.  *-> 


•*   o 


fcD 

C 

•  H 

•o 
c 

CD 

a 
o  -o 

4-> 

E 
*-t     3 


E 


D. 

a 

CO 

c 

O 

a 


H 
'/J 

O 

o 

w. 
> 


3 


o 


o 
►J 


3: 

c 


5 

O 


O 


5 

O 
►J 


I 


t/) 

w 


u 

w 


Pi 


'■a 

H 

o 
'A 


$ 

cc 


(J 


o 
to 


cj    to 


o 


S    2 


o 

c 

o 
u 


o 
►J 


tO 

u 
o 


•H      Vh 

u 

to   tO 

C     3 

to     CD 

•to  -a 


2 

O 


o 
»~1 


Vh 

4->    \ 


<  c 


to    rt 
3     Vh 


-t->  3 

K!  U 

3  CJ 

C  * 

3  0/ 


5 


tO 
C 

o 


•a 

o 

•f-t 

I  V( 

Vh     B 

to 


Vh 

O 
Vh 
u 
<u 

Vh 

•5 

Vh 


O 


+J 

•H 

t-i 

rt 

U 

o 

"O 

C 

u 

3 

u 

"C 

<u 

o 

0 

•H 

■*-• 

tH 

<U 

«*H 

cs 

u 

>H 

"C 

c 

a 

tO 

QJ 

•  H 

5 

V. 

to 

E 

•o 

r. 

ri 

Vh 

Vh 

r-t 

4J 

a; 

rJ 

u 

T-) 

■*-> 

TZ 

U 

3 

to 

•w 
Uh 


w 
c 

S 

o 
w 


V 

■c 

o 


Vh 

c 
to 

to 
c 
o 
c 
u 
P-. 


o 

E  tC 

o  c 

E  "H 

•c 

OJ  c 

Vj  3 

O  O 


o 

w 

+J 

c 

c 

u 

Vh 

« 

o 

tr. 

+-> 

a; 

tr: 

u 

•H 

c 

tc 

W4 

u 

c. 

p; 

1 

to 

•  H 

tH 

tc 

4-> 

o 

QJ 

•H 

Vh 

« 

to 

a 

C 

iH 

rt 

to 

c 

O 

*c 

CO 

u 

U 

to 

i-4 

to 

+J 

•D 

u 

V-. 

>. 

+J 

c 

C 

OJ 

-^ 

•  w 

o 

r3 

•M 

>s 

•w 

JC 

u 

to 

+-< 

u 

Vh 

to 

•  ^ 

•  -J 

•w 

3 

fc-  m 

C 

u 

tr. 

Vh 

t£ 

U 

rt 

s 

o 

V 

C 

o 

o 

•H 

t-l 

4J 

pi 

PU 

^J 

w 

Uh 

u 

c 

C3 


CJ 
4J 

•a 
o 
u 


40 


•o 

ii 

o 

s 

rt 

u 

JC 

4-> 

u 

X 

03 

cj 

QJ 

^-N 

v_^ 

«-i 

•a 

0 

E 

E 

O 

U 

4-' 

3 

D 

U-, 

•t-i 

•t-( 

•  w 

3 

5 

•o 

•c 

4-> 

D' 

s 

0 

CJ 

CD 

•H 

CJ 

a 

K-! 

E 

I£ 

.O 

u 

>— i 

E 

3 

•D 


E 

CD 


2= 

o 
►J 


to 


c 

5 

•tH 

-a 

E 


O 


I 
,-i 


o 


c 

►J 


o 


5 

c 
►J 


E 

3 

•H 

•c 
o 


.5 


5 

o 


o 


►J 


E 

3 

•H 

•c 


5 

o 
-1 


«j 

V-l 

to 

CO 

c 

o 

•H 

4-J 

1 

' 

<U 

~£ 

CD 

rt 

rt 

rt 

10 

u 

10 

to 

so 

i 

4-> 

•s. 

U 

u 

*-' 

to 

•. 

co 

w 

E 

w-» 

•o 

u 

Cj 

cj 

rt 

o 

ftj 

>- 

QJ 

c 

» 

CJ 

a 

o 

rt 

K 

l-l 

4-J 

■3 

u 

o 

re 

3 

Wl 

3 

u 

B3 

c 

u 

u 

o 

CD 

o 

»-l 

u 

+-> 

+j 

•c 

Q 

■c 

u 

E 

c 

u 

tj5 

Wt 

u 

X 

Ui 

o 

u 

rt 

u 

re 

rt 

•H 

E 

•  w 

rt 

rt 

•H 

rt 

O 

O 

c 

0) 

4-" 

O 

c 

■c 

O 

CJ 

tr. 

U 

■i-> 

u 

l-t 

u 

■c 

14 

■a 

■a 

Q 

QJ 

E 

o 

•Q 

►  ^ 

o 

•o 

a 

u 

u 

o 

c 

■o 

CD 

o 

to 

o 

•tH 

v-i 

l-i 

Wi 

C/ 

6" 

3 

CJ 

V 

V 

4-> 

N 

c 

to 

N 

E 

*v. 

+■> 

O 

C 

N 

Vj 

Ui 

N 

r-4 

•tH 

a 

3 

•H 

rt 

•H 

rt 

O 

•H 

o 

•rH 

c. 

4-> 

•H 

rt 

V 

CJ 

(0 

U 

Ih 

u 

w 

u, 

(.0 

•*-" 

4-> 

U 

w 

14 

•r-l 

u 

1-4 

+-> 

O 

CD 

CJ 

c 

w*. 

o 

<L 

E 

w> 

c 

rt 

o 

0 

u 

rt 

a 

rt 

c 

,d 

4-i 

"O 

■Z-i 

o 

JZ 

4- 

r: 

to 

c 

10 

*") 

4- 

"C 

j; 

CJ 

4J 

£ 

5 

E 

4-> 

3 

•H 

4-> 

l-l 

4-> 

tH 

w 

V. 

•H 

M 

K 

4J 

rt 

4-> 

a 

re 

•o 

•a 

0) 

3 

u 

!fi 

3 

a. 

2 

rt 

t£ 

V 

c 

U 

CJ 

~ 

"^ 

re 

3 

to 

•a 

u 

w 

4-> 

a 

o 

4-> 

ci 

re 

c 

u 

•H 

C 

<J 

re 

4-> 

re 

a 

«    .. 

4-> 

c 

X 

3 

c 

Vm 

C 

w 

u 

u 

rt 

H 

L> 

C 

o 

rt 

r^ 

o 

u 

X 

»*•■ 

< 

~ 

cj 

o 

*-" 

0 

^ 

O 

a. 

<; 

E 

•° 

< 

- 

4-> 

■c 

►r' 

4~> 

o 

4-> 
C 

o 
u 

CJ 
tt. 


•r^ 

ts 

u 

o 

o 

_! 

4-» 

to 

4->    "D 

•H 

C     C 

tj 

b£ 

rt    rt 

•H 

CJ 

•c 

Ml 

£». 

C    to 

0 

D    Wi 

►J 

•u 

"O    <u 

u, 

tU     4-> 

>. 

o 

k    to 

4-> 

^r 

•H 

•i-( 

>>  to 

W. 

>■ 

CJ     CJ 

re 

CJ 

^    &. 

0. 

■u 

o 

>- 

to 

14 

>* 

>> 

rt 

o 

u 

|H 

kl 

E 

o 

c 

w 

5j 

E 

E 

S 

CJ 

CD 

X 

;r 

•c— 

o 

C 

o 

> 

>- 

■o 

tH 

•H 

t-i 

CD 

c 

4-> 

c 

4J 

re 

C 

a 

>- 

•«H 

o 

u 

u 

•o 

•rt 

O 

O 

a 

•a 

E 

to 

CD 

CD 

CJ 

to 

CU 

c 

«c. 

<; 

tfi 

c 

•tH 

c 
o 


u 

a 
P- 

J-.    to 

O     -M 

E    n 

cj    o 


41 


.c    s- 

tX    V-i       1 

•Hr    O       CJ 

E   r   ^ 

O    E 

E 

«W     tl    -H    x-> 

■H     3 

3 

E     3    *-> 

•H 

s 

5 

z 

•H 

3:         c;  c 

3j 

5 

s 

S:   XJ 

o 

o 

o 

xj 

o   r:    Q-i   <u 

O 

c 

o 

O    d 

i-4 

.-J 

ij 

01 

i-l  -h    M    E 

i-4 

►-I 

►J 

-J    e 

I 

-J. 


o 


r- 

o 

►J 


5 


o 


.J 


•S 

C 

-1 


E 
3 

•H 

T3 


6 


E 

3 

x> 

C 

E 


■M 

c 
c 
u 

5 

5 

S 

s 

5 

S 

s 

> 

3 

o 

O 

o 

o 

O 

o 

o 

o 

O 

-J 

►J 

h4 

►J 

-J 

j 

-J 

►J 

J 

l^. 

•a 

CJ 

o 

•o 

w 

N 

CJ 

■o 

•H 

•H 

•  H 

tu 

>^ 

U-, 

h 

rt 

rt 

<H 

.\ 

rt 

rt 

V, 

O 

M 

4-> 

+-> 

•  H 

•H 

+-> 

+j 

CJ 

0 

JC 

u 

KS 

rt 

(0 

Ih 

ca 

n 

3 

E 

4-> 

O 

Xj 

•c 

to 

0 

•c 

•c 

XJ 

CJ 

3 

«H 

v< 

aJ 

.C 

•t-l 

E 

t-i 

A 

£> 

VM 

o 

*4-< 

H 

+-> 

U-( 

l*H 

to 

0 

C 

O 

t-l 

O 

o 

3 

o 

o 

CJ 

C 

l-l 

3 

to 

cj 

to 

^ 

C3 

C 

to 

to 

V, 

■T-< 

u  . 
CJ 

O 

c 

c 

c 

o 

3 

c 

c 

o 

to 

+-> 

E 

•T"< 

o 

•f-t 

•!-< 

•t-t 

4-> 

c 

CJ 

CJ 

■*-> 

t- 

+-> 

CJ 

C 

r-l 

+-> 

4-> 

'<-< 

It 

to 

E 

3 

rt 

3 

to 

O 

CJ 

3 

3 

to 

c 

rt 

to 

o 

> 

O 

ct 

c 

0 

o 

to 

•H 

a: 

5 

CJ 

C 

u 

X) 

u 

CJ 

rt 

c 

t-l 

w 

CJ 

a 

u 

X) 

o 

•H 

to 

v. 

to 

t-l 

•<-• 

a 

!/) 

to 

u 

E 

O 

t-l 

o 

C3 

•H 

«5 

•w 

CJ 

rt 

■C 

•iH 

•H 

u 

CJ 

rH 

rt 

< 

E 

-^~ 

— 

"Z. 

Ci 

XJ 

u 

jr 

"=r 

< 

V- 

x> 

1 

Jd 

K 

O 

^ 

rH 

£ 

t-t 

CJ 

u 

o 

.* 

u 

CJ 

£ 

c 

u 

t-> 

> 

U 

CJ 

a 

4-> 

CJ 

• 

CJ 

J«i 

to 

Xi 

c 

^ 

o 

►4 

u 

W 

a 

c 

C- 

U 

z; 

CJ 

C3 

k. 

3 

(J 

to 

to 

>- 

jrf 

•4-J 

E 

CG 

W 

XI 

CJ 

to 

<u 

•*-> 

C) 

u 

•H 

3 

V4 

>. 

■     OS 

xs 

Ui 

•w 

c 

CJ 

t-l 

Z 

CJ 

V4 

c 

"C 

u 

u 

c 

.c 

3 

u 

^ 

o 

CJ 

3 

x 

V 

rt 

ct 

U 

<_> 

CJ 

r-l 

tr 

E 

XJ 

o 

< 

4-> 

P- 

£ 

CJ 

4-> 

<u 

c 

CJ 

o 

ca 

4-> 

to 

/-. 

u 

CJ 

'/, 

to 

•  I-l 

c 
c 

<. 

IS 

S 

O 

P 

•^ 

t/; 

9 

C 

■*-> 

p 

to 

ro 

to 

O 

CJ 

c 

o 

\ 

c 

CJ 

\ 

u 

\ 

CJ 

•C 

0 

\ 

f— 

\ 

< 

V-i 

3 

K 

i—' 

t-i 

CS 

»-i 

ec 

u 

-) 

»-H 

(J 

t-t 

i-< 

42 


o 
►J 


s 
o 


O 


5 
O 
•-J 


o 

-J 


.c 

£ 

E 

to 

to 

3 

•H 

•r< 

•H 

£ 

JC 

T5 

(J 

o 

o 

E 

*-> 

+-< 

O 

e 

n 

■*-> 

3 

•H 

3 

S 

"C 

3= 

<£ 

•o 

o 

CJ 

O 

o 

cj 

►-< 

«i 

*J 

-J 

s 

o 


o 
-J 


o 


o 


o 

-J 


b 

►4 


O 
►J 


o 


►4 


o 


O 
►J 


5 

o 


o 


•H 

•o 

E 

o 

o 
-J 


o 
►-1 


o 


6 


c 
o 
u 


o 

cj 

CO 

CO 

CO 

w 

to 

cO 

tD 

CO 

« 

4-> 

10 

w 

c 

•*-> 

c 

>- 

1! 

•«-> 

c; 

rt 

ry 

CJ 

co 

CO 

cO 

CO 

X) 

1-4 

CO 

CJ 

•^ 

u 

u 

.c 

+-> 

•a 

.c 

u 

•-H 

-c 

u 

u 

o 

u 

cO 

v^. 

o 

o 

■4~> 

4-> 

S 

U-i 

CO 

C 

cO 

cO 

■o 

o 

u, 

■a 

r» 

CJ 

V-i 

o 

•a 

•c 

+J 

■o 

■m 

CJ 

o 

u 

1-1 

cj 

"w 

c 

O 

CJ 

CO 

CJ 

c 

CJ 

c 

Ul 

- 

tj 

o 

tD 

CJ 

N 

ti 

tD 

N 

E 

K 

CJ 

N 

CJ 

3 

•H 

C 

•H 

O 

w 

c 

c 

•<-i 

CO 

•H 

E 

•<-l 

E 

N 

U 

w 

•H 

cj 

Ul 

■*-> 

r 

c 

•r{ 

w 

l^ 

Ih 

a 

U 

Q. 

•H 

o 

E 

■»-' 

u 

o 

co 

c 

■rl 

tB 

+-> 

o 

KA 

o 

•m 

C 

•H 

a; 

£ 

cO 

Zl 

CO 

f*« 

*-> 

•co 

w 

4-> 

C 

3 

r~ 

o 

x: 

3 

j^ 

"' 

to 

4-> 

lH 

o 

> 

■JJ 

cO 

to 

+J 

CO 

•  »-< 

o 

-*-> 

Ul 

•*-> 

cr 

4-> 

cr 

3 

tD 

u 

•5 

mJ 

T3 

CJ 

tj 

•  tH 

c 

lH 

D 

C 

3 

CJ 

3 

CJ 

co 

G 

o 

CO 

Ul 

to 

o 

CJ 

~z 

a 

co 

co 

(0 

co 

Oj 

C 

u 

.  •*-* 

.2 

c 

0 

u 

r-l 

rt 

CO 

•  H 

c 

o 

c 

o 

c 

0 

Ui 

p 

a 

s 

•*" 

^ 

4-> 

< 

O 

w 

+J 

-i. 

— 

4-> 

p 

■*-> 

— 

+-> 

< 

« 

W4 

o 

c 

4-1 

Ih 

c 

ro 

O 

M 

a 

u 

u 

u 

cj 

o 

CO 

c 

C 

o 

.* 

V) 

,n 

•rH 

•H 

CJ 

0 

•H 

u 

vt 

U 

tf) 

u 

Q 

O 

U 

CJ 

+J 

c 

CJ 

O 

•w 

>■ 

Ul 

U 

.J 

u 

>- 

»-l 

.3 

•o 

c 

c 

CJ 

CO 

3 

•o 

4-> 

a 

> 

c 

Ul 

o 

^ 

5 

Ul 

CO 

>- 

■a 

•ri 

E 

CO 

« 

CJ 

•  <-< 

•c 

4J 

CJ 

t-t 

< 

U 

3 

Ul 

•*-• 

■*-> 

•a 

Ui 

to 

3 

8 

a 

V} 

t£ 

CC 

D. 

■*-> 

CO 

c 

co 

CJ 

cr 

•c 

Cu 

c 

u 

^2 

rt 

C 

co 

p*^ 

10 

C 

•r4 

u 

v< 

4-< 

u 

eu 

•  t-t 

to 

c 

•o 

0 

co 

u 

a 

•H 

<-r> 

X3 

^ 

*-i 

CJ 

CO 

x: 

<c 

u 

■u* 

c 

>^ 

> 

c 

>. 

E 

CJ 

CO 

u 

*-> 

u 

o 

0) 

cO 

x: 

ui 

o 

CO 

CJ 

O 

O 

3 

CJ 

rt 

CJ 

ei 

04 

Q 

u 

(J 

Q 

s 

^ 

CJ 

J 

O 

< 

C 

H 

CJ 
Ui 

3 
tD 
•t-l 


43 


programs  and  access  to  data,  provide  for  recovery  from 
hardware  failure,  and  allow  centralized  error  checking  of 
programs  and  data  access  are  also  applicable  to  the  security 
of  the  automated  system. 

a.  Processor  Mode,  Privileged  Instruction  Set 
Present   third   generation  computer  systems  have 

implemented  multiple  modes  of  operations  differing  in  the 
ability  to  process  available  instructions  and  in  memory 
access  restrictions.  Typically,  the  system  may  operate  in 
one  of  two  modes:  the  control  (executive  mode)  or  the  user 
mode.  The  processor  will  not  execute  a  privileged 
instruction  unless  a  processor  mode  register  is  set  to  the 
control  mode.  In  the  user  mode,  privileged  instructions 
cannot  te  executed  and  memory  accesses  are  restricted  to 
those  which  were  assigned  while  the  processor  was  in  the 
control  mode.  In  the  control  mode,  all  instructions  can  be 
executed  and  all  memory  accessed.  Should  a  privileged 
instruction  occur  in  a  user  program  or  a  memory  access  be 
attempted  outside  the  allocated  area,  an  interrupt  returns 
control  to  the  executive  program.  User  programmed  entry 
into  the  control  mode  is  possible  only  by  use  of  an 
executive  reguest  or  monitor  call  instruction.  Programmed 
exit  to  user  mode  from  control  mode  is  accomplished  by 
executing  a  return- to- user  mode  privileged  instruction. 
[Babcock  67] 

b.  Core  Memory  Bounding  (BAR,  Lock  and  Key,  Paging) 
Three  major   hardware   technigues   are   used   to 

limit  core  memory  access  of  user  programs  to  a  bounded  or 
allocated  area  established  by  the  executive  program.  The 
base  address  register  (BAR)  containing  upper  and  lower 
limits  of  allowable  core  memory  access  is  used  to  insure 
that  after  indexing  or  indirect  memory  addressing,  the 
hardware  memory  address  is  within  the  bounds  of  core  memory 
assigned  by  the  executive  program.  The  lock  and  key  memory 
bounds  technigue  is  implemented  by  the  executive  assignment 
of   a   key   word   to   user  programs  and  to  memory  areas  that 
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defines  the  authorized  core  access  area  for  that  user 
program.  The  key  word  is  automatically  checked  in  the  core 
memory  before  any  access  is  allowed.  The  third  method, 
paging,  uses  the  key  word  designated  by  the  executive  as 
part  of  the  hardware  memory  address  and  access  is  physically 
impossible  outside  the  bounded  core  memory  area.  The 
techniques  vary  in  terms  of  hardware  cost:  The  base  address 
register  the  lowest;  lock  and  key,  intermediate;  and  paging 
the  highest. 

c.  Process  Control  Register  (Read/Write/Execute) 

The  control  of  the  right  to  read,  write,  or 
execute  data  has  been  implemented  utilizing  the  basic  method 
used  for  memory  bounding.  Flag  bits  are  used  in  the 
associated  memory  bounds  register  to  indicate  the  rights  of 
the  user  program  to  read  and/or  write  into  core  and  to 
execute  program  instructions  in  a  given  memory  area. 

d.  I/O  Control  Registers  and  Mask  Register 

The  loading  of  I/O  control  registers  and  I/O 
mask  registers  allows  the  centralization  of  all  input/output 
to  executive  control  which  is  essential  to  the  effective 
isolation  of  user  programs  and  data.  The  mask  register 
provides  an  effective  means  of  controlling  different  types 
of  interrupts  including  those  associated  with  inadvertent  or 
deliberate  attempts  of  user  programs  to  perform  unauthorized 
actions. 

e.  Parity 

Parity,  generated  for  the  transmission  of  data, 
is  checked  by  receiving  units.  A  single  parity  bit  detects 
any  single  or  odd  number  of  bit  errors  in  the  word 
(character  or  bit  group)  in  which  it  is  included.  It  is 
used  in  most  third  generation  computers  to  provide  a  method 
to  detect  hardware  errors  in  all  parts  of  the  computer 
system.  Detection  of  a  parity  error  causes  an  interrupt  to 
the  executive  mode.   [Molho  70] 

f.  Security  Control  Flag  Bits 

Use   of   flag   bits  in  programs  and  data  fcr  the 
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purpose  of  indicating  security  level  is  a  technique  which 
has  been  suggested  but  not  implemented  in  any  of  the  systems 
surveyed.  The  flag  bits  in  each  data  word  would  indicate 
the  security  level  of  the  data  and  the  class  of  user  who 
could  read  or  write  the  data  word.  The  flag  bits  in  program 
instructions  would  govern  execution  of  the  program.  Both 
hardware  and/or  software  control  has  been  suggested  to 
interpret  the  flag  bits.  The  high  cost  in  additional  memory 
to  store  these  extra  bits  has  been  cited  as  one  of  the 
reasons  why  the  technique  has  not  been  inplemented.  Seme  of 
the  more  advanced  systems  have  implemented  the  use  of  flag 
bits  with  software  interpretation  at  the  control  word  level 
rather  than  the  individual  word  level. 

g.   Code  Redundancy 

The  use  of  extra  bits  to  provide  code  redundancy 
to  enhance  the  capability  to  correct  errors  or  to  tetter 
identify  errors  has  been  suggested  but  not  implemented  for 
key  control  instructions.  The  mode  control  register  and 
memory  bounds  register  have  been  suggested  as  areas  where 
code  redundancy  should  be  used.   [Molho  70] 

h.   Redundant  Key  Registers  and  Logic 

The  technique  of  using  redundant  registers  for 
mode  control  and  I/O  channel  control  has  been  suggested  but 
not  implemented.  The  use  of  multiple  registers  that  would 
cause  an  errcr  interrupt  if  they  did  not  agree  would  insure 
the  proper  functioning  of  these  key  controls. 

2 «   W§in  Mejnor  j  Module 

The  control  of  access  to  the  main  memory  module  is 
necessary  for  proper  security  control  in  an  automated 
system.  All  programs  and  data  that  will  be  accessed  must 
ultimately  reside  in  the  main  memory.  Control  of  main 
memory  areas  in  some  systems  is  accomplished  by  the  CPU,  in 
others  by  a  combination  of  CPU  and  memory  circuits.  Since 
all   data   and   programs   are   read   from   the   memory,   the 
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integrity  of  data  in  the  memory  is  paramount.  Hardware 
failures  must  be  detected  to  prevent  the  possibility  of  CPU 
execution  of  changed  code  with  unpredictable  results. 

a.  Parity  Logic 

The  memory  unit  checks  and/or  generates  parity 
bits  for  storage  in  order  that  odd  bit  failures  can  be 
detected.  A  parity  failure  causes  an  interrupt  to  the 
executive  mode  in  the  CPU. 

b.  Key  Word  Register 

In  lock  and  key  memory  protect  systems,  the 
memory  compares  the  key  flags  of  the  access  reguest  with 
those  set  by  the  executive  in  the  key  word  register.  This 
prevents  unauthorized  read/write  execute  access  to  memory 
for  data  or  programs. 

c.  Bead  Only  Memory 

Eead  only  memory  is  used  in  some  systems  for  key 
control  programs  to  provide  protection  against  unauthorized 
change  to  programs  or  data.  The  higher  cost  of  such 
memories  has  limited  their  use. 

d.  Dedicated  Memory 

The  use  of  separate  memories  for  different 
classes  of  users  has  been  suggested  to  provide  security  of 
classified  data.  Such  a  system  requires  control  by  an 
executive  program.  The  physical  separation  of  data  into 
separate  dedicated  memories  also  requires  correlation 
software  technigues  to  code  data.  Plug-in  dedicated 
memcries  for  special  programs  and  data  such  as  security 
access  lists  and  security  monitor  programs  have  been 
proposed  but  not  implemented. 

e.  Memory  Block  Erase 

A  special  instruction  and  associated  hardware  to 
clear  a  specified  block  of  memory  has  been  suggested  in 
order  to  clear  residue  from  a  task  upon  completion  of  that 
task.  This  procedure  would  insure  that  classified  data  is 
destroyed  before  memory  is  reallocated.  This  prevents  core 
dump   instructions   at  the  beginning  of  the  new  user  program 
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from   outputting    the    previous    user's   data. 

f.  Associative  Memory 

An  associative  memory  allows  the  retrieval  of 
data  or  programs  based  upon  a  code  match  rather  than  a 
hardware  address.  It  has  been  suggested  as  a  technigue  that 
could  be  used  to  retrieve  data  or  programs  based  upon  a  code 
designation  of  the  data  or  program  class.  Large  associative 
memories  have  not  been  implemented  in  systems  because  of 
their  high  ccst. 

g.  Memory  Partitioning  Ports 

The  use  of  special  dedicated  ports  or  paths  into 
dedicated  blocks  of  memory  has  been  suggested  as  a  method  to 
isolate  special  classes  of  data.  The  special  ports  could 
only  be  accessed  by  a  special  set  of  priveleged 
instructions. 

3 «  IZQ.   Control  Processor 

The  input/output  control  processor  (IOCP)  provides 
the  hardware  interface  with  mass  memory  (disc,  drums,  tapes, 
card  reader/punch)  and  with  the  systems  user  (printer, 
display,  communications  lines,  etc.).  Data  is  transferred 
between  these  external  units  through  the  IOCP  to  the  CFU  and 
main  memory.  The  IOCP  features  which  are  particularly 
important  to  data  security  are  the  registers  and  logic  that 
route  the  data  between  the  proper  external  device  and  the 
proper  main  memory  core  block  and  CPU. 

a.  I/O  Bounds  Control 
The  CPU  provides  the  starting  address  and  either  the  word 
count  or  ending  address  for  any  data  transfer  between 
external  devices  and  main  memory.  The  IOCP,  through  bounds 
control,  insures  that  the  data  is  transferred  to  the 
allocated  block  of  memory.  Each  address  is  automatically 
checked  to  insure  that  it  is  within  the  address  bounds.  Any 
address  outside  the  address  block  causes  an  error  interrupt 
to  the  executive  mode. 
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b.  Unit  Address  Register 

The  unit  address  for  outputs  of  data  is 
furnished  to  the  IOCP  by  the  CPU.  Unit  select  gates  connect 
the  appropriate  unit  buffer  in  the  IOCP  based  upon  the 
contents  of  the  unit  address  register.  For  data  input, 
demand  gueueing  is  processed  by  the  CPU  which  furnished  the 
IOCP  with  a  control  word  defining  the  allocated  memory  block 
for  the  input. 

c.  IOCP  Parity  Check 

Inter- eguipment  address,  data  transfers  and  unit 
address  control  word  parity  checks  provide  the  capability  of 
detecting  single  failures  and  preventing  the  misrouting  of 
data. 

d.  I/O  Channel/Number  Character  Check 

Logic  has  been  suggested  but  not  implemented  to 
provide  a  means  to  identify  misrouting  of  data  in  the  IOCP. 
Before  any  data  is  released  to  a  channel,  the  channel  number 
terminal  device  would  be  checked  by  the  CPU.  A  character 
count  register  would  be  set  to  allow  transmission  of  a 
specified  number  of  characters  and  decremented  to  zero  as 
characters  are  transmitted.  At  zero  count,  the  channel 
number  would  again  be  checked  and  the  character  count 
register  reset.  This  procedure  insures  that  data  is  being 
input/output  on  the  correct  channel  and,  in  case  of 
malfunction,  limits  the  amount  of  data  released. 

e.  I/O  Security  Level  Register 

This  I/O  register  would  check  a  record  control 
security  code  word  against  a  channel  security  level  code. 
If  the  classification  level  of  the  control  word  was  higher 
than  the  channel  level,  an  interrupt  would  be  generated. 
This  channel  security  level  check  has  been  suggested  but  not 
implemented. 

f.  Channel  Number  Check  Logic 

This  technigue  reguires  that  the  channel  control 
word  from  the  CPU  to  the  IOCP  be  transmitted  twice  and 
matched   ty   dual   registers   in   the   IOCP   before   data  is 
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transmitted  on  the  channel.  A  mismatch  causes  an  error 
interrupt.  The  technique  has  been  suggested  but  not 
implemented. 

g.   I/O  Answerback  Check 

This  suggested  technigue  utilizes  hardware  which 
requires  answer  back  identifying  the  receiving  terminal  unit 
before  allowing  any  transmission  to  the  terminal  unit.  The 
answer  back  terminal  unit  identification  is  checked  for 
match  against  the  original  contrcl  word  in  the  IOCP  before 
data  is  transmitted. 

h.   I/O  Memory  Eraser 

The  IOCP  provides  the  capability  to  clear  a 
block  of  memory  of  residue  from  a  previous  use  of  the  space. 
A  control  word  from  the  CPU  specifies  the  main  memory  block 
address.  The  IOCP  then  cycles  through  the  block  addresses 
transmitting  all  zeros  to  the  block  address.  At  the  end  of 
the  block,  the  IOCP  generates  an  interrupt  to  the  CPU  that 
identifies  the  block  as  being  cleared.  This  technique  could 
be  used  in  CPU  limited  systems  instead  of  a  software 
routine. 

i.   I/O  Code  Redundancy 

Additional  bits  over  those  logically  required 
could  be  used  for  terminal  addressing.  This  would  provide 
the  capability  of  error  detection  and  error  correction. 
Additional  hardware  error  detection  and  correction  hardware 
would  be  required. 

4 •   2ire ct  Access  Memory  Controller 

The  majority  of  the  data  and  programs  are  stored  on 
direct  access  memory  (disc,  drum,  tape)  and  transferred  to 
the  main  memory  when  required  for  processing.  Physical  and 
electrical  control  of  access  to  these  devices  is  necessary 
to  insure  security.  Electrical  access  to  the  devices  is 
through  their  controllers  which  provide  for  record  address 
location  and  read/write  execution  on  the  device. 
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a.  Read  Only  Lock 

Logic  and  switches  on  the  controller  provide  the 
capability  to  allow  read  only  access  on  specified  tracks  of 
disc  and  drum.  n  specified  tracks  of  disc  and  drum.  These 
switches  are  set  to  read  only  or  read/write  at  system  setup 
time.  tape  drivers  can  also  be  set  to  read  only  by  write 
disable  switches. 

b.  Record  Address  Check 

The  controller  checks  for  parity  of  each  word  as 
it  is  read  from  the  device.  A  parity  error  generates  an 
error  interrupt  to  the  IOCP. 

c.  Check  Sura  Logic 

The  controller  counts  the  bits  in  a  given  record 
and  checks  this  total  against  a  total  entered  at  the 
beginning  cr  end  of  record.  If  the  total  does  not  agree,  an 
error  interrupt  is  generated.  This  technique  allows  the 
detection  of  unauthorized  change  to  records. 

5*   S^IB^te  and  Local  User  Terminals 

The  computer  system  terminals  are  the  means  used  for 
communication  between  the  automated  system  and  the  user. 
Access  to  the  terminals  and  user  capabilities  allowed  at  the 
terminals  are  the  key  security  control  features.  The 
hardware  security  techniques  identified  at  the  terminals 
provide  means  to  limit  access  and  control  user  capabilities. 

a.   Cryptographic  Devices 

Cryptographic  devices  are  used  to  automatically 
encode  and  decode  data  on  communications  channels.  The 
techniques  used  in  the  devices  are  highly  classified  and 
reguire  a  special  engineering  discipline.  Therefore,  it 
becomes  a  cost-effective  decision  as  to  the  use  of 
cryptographic  hardware  devices.  For  communication  channels, 
cryptographic  techniques  are  the  only  known  practical  method 
to  prevent  access  to  data  by  radition  or  wire  tapping.  [Van 
Tassel  69] 
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b.  Hang  Up  and  Dial 

This  technique  provides  logic  that  transmits  a 
request  from  the  terminal  for  computer  services.  The 
computer  then  requests  a  verification  of  the  request  from 
the  terminal.  An  identification  code  is  automatically  sent 
that  confirms  the  terminal  request.  Separate  lines  have 
been  suggested  for  the  transmission  of  the  two 
identification  requests.  In  some  systems,  a  telephone 
confirmation  by  computer  support  personnel  is  used  for  the 
verification  of  the  on-line  terminal  request.   [Petersen  67] 

c.  Key  Pattern  Generators 

Several  techniques  to  identify  individual  users 
have  been  suggested.  Identification  card  readers  are  used 
by  a  few  systems.  Voice,  fingerprint,  and  combination  lock 
code  generators  have  been  suggested  but  not  implemented  for 
the  generation  of  individual  key  patterns.  The  key  patterns 
are  transmitted  to  the  computer  system  where  access  rights 
to  data  and  programs  are  authorized  on  the  basis  of  the  key 
pattern  comparison. 

6  -   General  Techniques 

Some  of  the  hardware  technigues  apply  to  more  than 
one  of  the  subsystems  of  the  computer.  They  are  described 
in  this  section. 

a.  Combination  Lock  or  Lock  And  Key 

The  physical  securing  of  key  parts  cf  the 
computer  system  by  combination  lock  or  lock  and  key  has  been 
suggested  as  a  method  to  limit  access  to  critical  circuits. 
The  circuits  suggested  for  this  protection  are  the  power 
circuit  at  terminals,  read  only  switches  on  mass  memory 
devices,  the  cabinets  that  contain  the  IOCP,  CPU,  core 
memories,  and  dedicated  plug  in  memories. 

b.  Dual  Hardware  Access 

This  technique  would  require  the  simultaneous 
insertion   of  keys  by  more  than  one  person  to  gain  access  to 
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key  hardware  components. 

c.   Data  Destruction  Techniques 

The  problem  of  quickly  destroying  classified 
data  in  cases  of  seizure  of  a  computer  area  or  a  remote 
terminal  is  a  security  problem  in  both  automated  and  manual 
systems.  The  problem  is  not  an  easy  one  since  large  volumes 
of  data  must  be  destroyed  in  a  short  time.  The  sequential 
writing  of  a  random  number  stream  on  to  data  files  does  not 
prevent  residual  effects  on  magnetic  storage  devices,  but 
would  make  data  recovery  much  more  difficult.  Physical 
destruction  of  devices,  depending  upon  the  level  of 
destruction,  could  destroy  the  data  involved.  The 
degaussing  of  the  mass  storage  devices  is  a  possibility  but 
could  reguire  too  much  time  or  unreasonable  power  levels. 
It  is  felt  that  further  study  is  needed  to  identify 
reasonable  and  practical  methods  to  provide  for  protection 
from  the  threat  of  area  seizure. 

C.   HARDWARE  AND  SOFTWARE  COMPARISONS 

Effective  on-line  control  to  prevent  one  user's  programs 
and  data  from  being  accessed  or  changed  by  other  user's 
programs  can  be  achieved  by  hardware  techniques.  The  use  of 
a  processor  mode,  priviledged  instruction  set,  and  memory 
bounds  provides  .  the  tools  for  effective  isolation  of 
programs  and  data.  The  effective  on-line  control  of  files 
or  data  from  unauthorized  access  can  best  be  achieved  by 
software  techniques.  The  use  of  user  profile  tables 
(contains  user  code  identification,  program  rights  and 
clearance  level)  provides  an  effective  means  to  ccntrol 
access  tc  programs  and  data.  Software  programs  can  also 
provide  security  monitoring  and  security  logging  of  all 
access  or  changes  to  data  and  programs.   [Carrol  71] 

Either  software  or  hardware  techniques  can  be  used  for 
communications  channel  coding  of  data,  the  clearing  of 
residue    data    from   main   memory   blocks,   terminal   user 
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identification,  detection  of  unauthorized  change  to  data  on 
direct  access  memory,  and  proper  I/O  routing. 

Software  and  hardware  techniques  both  are  considered 
necessary  for  recovery  from  software  failures,  and  if 
required,  the  effective  isolation  of  support  user's  access 
to  data  and  programs.  The  isolation  of  support  personnel 
from  access  to  data  and  programs  is  the  most  difficult 
automated  security  technique  to  implement.  The  hardware 
techniques  required  consist  of  processor  mode  and  privileged 
instruction  set  and  could  include  the  use  of  dedicated 
memory.  Software  techniques  for  isolation  that  have  been 
suggested  but  not  implemented  include  relocative  boctstrap, 
redundant  coding,  module  dialogue  and  program 
interpretation. 

Figure  6  gives  a  summary  of  comparisons  between  hardware 
and  software  techniques.  The  table  shows  the  security  use, 
applicable  techniques  and  remarks  on  major  impact. 

D.   PROCEDURAL  TECHNIQUES 

Procedural  techniques  are  required  to  set  up,  maintain 
and  monitor  the  automated  security  system.  They  apply  as 
well  to  protecting  data  in  the  form  of  hard  copy  reports  as 
they  do  to  protecting  it  in  the  form  of  backup  tapes  and 
disk  packs,  program  listings,  program  decks,  common  data 
pools,  and  user  ID-lists  and  passwords.  They  are  needed  to 
establish  the  manual  as  well  as  the  automated  methods  by 
which  the  four  functions  of  security  are  accomplished. 
These  four  functions  are  classifying  and  declassifying  data, 
providing  the  means  to  safeguard  the  data,  providing  for 
proper  accountability,  and  allowing  the  dissemination  of  the 
data  on  the  basis  of  a  need-to-know.   [ Wasserman  69] 

The  security  that  is  obtained  in  any  system  utlirrately 
rests  on  the  responsibility  and  trustworthiness  of  the 
individuals  who  are  associated  with  it.  There  are, 
therefore,   two  primary  procedural  techniques  that  transcend 
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the  four  functional  area  and  apply  equally  to  every  aspect 
of  system  activity.  The  first  is  to  guarantee  that  the 
requirement  to  set  up,  maintain  and  monitor  the  system  is 
accomplished  only  by  those  designated  to  perform  the 
indicated  function.  The  second  is  the  formal  establishment 
by  law  of  personnel  responsibility  for  the  safeguarding  and 
dissemination  of  classified  data.  Each  person  is 
responsible  to  safeguard  classified  data  or  programs  made 
available  tc  him  for  the  performance  of  his  official  duties 
and  to  limit  dissemination  of  that  data  to  only  these  with 
proper  security  clearance  and  need-to-know.  These  two 
principle  procedures  are  implemented  formally  in  all 
government  and  in  several  commercial  systems  reviewed. 

1  •   Classify! ncj  and  Decla ssi fy_ing  Procedures 

Procedures  are  available  that  allow  the  assignment 
of  security  classification  to  designated  individuals  at  the 
file  and  program  level.  In  some  systems  the  user  profile 
table  specifically  allows  the  authority  to 
classify/declassify  given  files.  In  all  systems,  the 
ability  to  classify/declassify  files  and  programs  is  only 
permitted  to  the  individual  of  highest  level  security 
authority  in  the  installation,  usually  the  system  security 
officer. 

2 -   S af ec[uar_ di ng_  Procedures 

All  systems  use  secure  area  protection  for  central 
computer  areas  and  remote  classified  terminals.  Access 
lists  are  maintained  to  allow  entry  into  these  areas.  The 
establishment  of  such  access  lists  is  the  designated 
responsibility  of  the  system  security  officer  through  formal 
submittal  to  the  security  authority.  In  addition,  this 
officer  is  charged  with  the  establishment  and  maintenance  of 
user/terminal  profile  tables  that  provide  the  authority  to 
access  data  and  files  and   the   assignment   of   personal   ID 
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and/or  code  words  to  authorized  users.  These  should 
preferably  be  assigned  in  a  random  manner  and  at  random 
intervals. 

3 •   Accountability 

Procedures  are  available  to  provide  periodic  review 
of  access  logs,  security  monitor  logs,  record  counts/check 
totals  and  file  logs.  Such  reviews  are  the  responsibility 
of  the  system  security  officer  or  data  adminstrator  and  are 
called  for  at  stated  periodic  times.  Document  signout 
procedures  similar  to  that  used  in  manual  systems  for 
classified  data  are  used  for  hard  copy  classified  material. 
An  inventory  of  all  hard-copy  classified  material  back-up 
tapes  disk,  packs,  program  listings  and  card-decks  is 
conducted  on  a  periodic  basis. 

**  •   Dissemination 

The  dissemination  of  data  in  automated  systems  is 
based  on  user/terminal  profile  tables  in  some  systems  and  on 
the  use  of  access  lists  in  others.  The  system  security 
officer  is  responsible  for  the  preparation  and  maintenance 
of  the  table  and  lists.  In  systems  that  use  passwords  or 
code  words,  procedures  are  established  for  the  dissemination 
of  the  current  codes  on  a  periodic  basis  to  those  authorized 
users.  These  procedural  techniques  are  applicable  to  any 
system,  since  they  are  a  common  requirement  for  providing 
adequate  protection.   [ Wasserman  69] 

E.   MANUAL  AND  AUTOMATED  PROCEDURAL  COMPARISONS 

A  comparison  of  procedures  used  in  automated  systems 
versus  those  that  are  used  in  manual  systems  provides  a 
method  to  judge  the  relative  value  of  automated  techniques 
that  are  common  to  both  as  well  as  those  which  are 
analogous.    In   both   automated  and  manual  military  systems 
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procedural  techniques  are  used  to  (1)  secure  access  where 
classified  data  is  used,  (2)  to  assure  proper  clearance  of 
personnel,  (3)  to  classify,  access,  disseminate,  and  control 
classified  data,  and  (4)  to  protect  classified  data  during 
transmission  by  cryptographic  secure  communication  lines. 
The  addition  of  automated  techniques  to  increase  the 
reliability  of  these  procedures  could  be  viewed  as  an 
attempt  to  increase  the  security  of  automated  systems  over 
that  of  manual  systems. 

Analogous   techniques   used   in   the  two  systems  are  (1) 
data  storage  procedures,  (2)   data   access   procedures,   (3) 
data   access   accounting,   (4)  storage  check  procedures  and, 
(5)  inventory  procedures. 

Data  access  procedures  in  a  manual  system  are  based  upon 
access  lists  and  personnel  identification.  In  automated 
systems,  access  to  data  and  files  is  based  upon 
user/terminal  profile  tables  and  the  requirement  to  submit 
the  proper  code  word.  Other  techniques  have  been  suggested 
such  as  fingerprint  and  voice  code  pattern  generators. 

Data  access  accountability  in  manual  systems  is 
performed  by  document  sign-out.  In  automated  systems,  logs 
of  file  access  by  user  or  terminal  identification  can  be 
kept  automatically.  Daily  safe  checks  are  used  in  manual 
systems  to  insure  storage  integrity.  In  automated  systems, 
the  access  logs  and  security  program  reports  can  be  reviewed 
as  often  as  desired.  Periodic  inventory  is  used  in  manual 
systems  to  insure  documents  have  not  been  lost  or  stolen. 
In  automated  systems  the  files  are  reviewed  periodically, 
check  sum  totals  are  used  to  insure  data  integrity,  and  all 
security  logs  are  reviewed.  The  conclusion  is  that  the 
automated  system  with  the  use  of  modest  security  techniques, 
can  provide  a  greater  level  of  security  than  is  possible  in 
a  manual  system. 
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VI.   CONCLUSIONS 

It  is  important  to  understand  what  present  technology 
can  and  cannot  do  in  protecting  classified  information  in  a 
resource  sharing  system.  Present  technology  offers  no  way 
to  absolutely  protect  information  or  the  computer  operating 
system  itself  from  all  security  threats  posed  by  the  human 
beings  around  it.  As  a  consequence,  procedural  and 
administrative  safeguards  must  be  applied  in 
resource-sharing  computer  centers  to  supplement  the 
protection  available  in  the  hardware  and  software. 

Security  control  in  a  computer  system,  especially  a 
resource  sharing  one,  is  a  system  design  problem,  and 
solutions  to  it  must  be  based  on  a  systems  point  of  view. 
The  future  of  data  bank  security  lies  in  designing  a  system 
with  adeguate  protection  which  is  not  so  complex  or 
expensive  as  to  discourage  its  use.  In  principle,  the 
numter,  type,  and  depth  of  security  controls  in  a  system 
should  depend  on  the  sensitivity  of  the  information  in  the 
system,  en  the  class  of  users  being  served,  on  the 
geographical  distribution  of  the  system,  on  the  nature  of 
the  service  that  the  system  provides  its  users,  and  on  the 
operational  situation  that  the  system  supports. 

The  system  designer  must  be  aware  of  the  totality  of 
potential  leakage  points  in  any  system  in  order  to  create  or 
prescribe  techniques  and  procedures  to  block  entry  and 
exploitation.  The  security  problem  of  specific  computer 
systems  must  be  solved  on  a  case-by-case  basis  employing  the 
best  judgement  of  a  team  consisting  of  system  programmers, 
technical,  hardware,  and  communications  specialists,  and 
security  experts. 
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